WebExtension: content scripts should be injected in data URL pages



10 months ago
10 months ago


(Reporter: kkapsner, Unassigned)



61 Branch

Firefox Tracking Flags

(Not tracked)



(3 attachments)



10 months ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180705213349

Steps to reproduce:

When a webExtension has content scripts with should be injected in "<all_urls>" they should also be injected in data URL pages (data:text/html;...) that come from a web page (e.g. over an iFrame).

The same issue is known to Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=55084
And the implications for privacy addons (e.g. fingerprinting protection) are the same. A page can easily circumvent such addons by using an iFrame with a data-URL.

Reproduction scenario.
- Install the example webExtension https://github.com/mdn/webextensions-examples/tree/master/notify-link-clicks-i18n
- go to https://itty.bitty.site/#/data:text/html;base64,PGh0bWw+PGJvZHk+PGEgaHJlZj0iaHR0cHM6Ly9leGFtcGxlLm9yZyI+Y2xpY2s8L2E+PC9ib2R5PjwvaHRtbD4=
- accept the disclaimer
- click on "click"

Actual results:

The example.org page loads without a notification

Expected results:

The webExtension should display a notification


10 months ago
Component: Untriaged → General
Product: Firefox → WebExtensions
We only match data: URLs if match_about_blank is true and the content script matches the URL of the document's actual origin. This is intentional.
Last Resolved: 10 months ago
Resolution: --- → INVALID

Comment 2

10 months ago
If you modify the example webExtension to have match_about_blank to be true (I also added all_frames to be sure) it still does not work.

  "content_scripts": [
      "match_about_blank": true,
      "all_frames": true,
      "matches": ["<all_urls>"],
      "js": ["content-script.js"]

And adding the content script via browser.tab.executeScript just prompts that the host permission is missing.

Also you can see in the two screenshots I added that the content script is injected in about:blank but not in the data-URL.

Comment 3

10 months ago

Comment 4

10 months ago


10 months ago
Resolution: INVALID → ---

Comment 5

10 months ago
Where is this behaviour of match_about_blank on data-URLs documented?

Comment 6

10 months ago
Here is the real world issue with this bug: https://github.com/kkapsner/CanvasBlocker/issues/208

Comment 7

10 months ago
This is a regression from bug 1324406.

In bug 1324406, data:-URIs started having unique origins, hence the match_about_blank does not apply any more.

If we want to support data:-URIs in content scripts, there are multiple directions:
- Match data:-URIs when match_about_blank is set.
- Introduce match_data_url (https://crbug.com/55084#c25 ).
- Support "data:" as a match pattern. Our MatchPattern class currently already supports "data:" [1], and <all_urls> includes data:-URIs by default. However, content scripts do not accept "data:" as an explicit match pattern [3], and the WebExtensionContentScript::Matches logic does not account for data:-URIs with a unique principal [4].

[1]: https://searchfox.org/mozilla-central/rev/943a6cf31a96eb439db8f241ab4df25c14003bb8/toolkit/components/extensions/MatchPattern.cpp#266
[2]: https://searchfox.org/mozilla-central/rev/943a6cf31a96eb439db8f241ab4df25c14003bb8/toolkit/components/extensions/MatchPattern.cpp#266,289,293-294
[3]: https://searchfox.org/mozilla-central/rev/943a6cf31a96eb439db8f241ab4df25c14003bb8/toolkit/components/extensions/schemas/manifest.json#469
[4]: https://searchfox.org/mozilla-central/rev/943a6cf31a96eb439db8f241ab4df25c14003bb8/toolkit/components/extensions/WebExtensionPolicy.cpp#472,484-486,501,507
Depends on: 1324406
Ever confirmed: true
Keywords: regression
See Also: → 1417975

Comment 8

10 months ago
Posted file datauri.zip
Steps to reproduce:
1. Load attached extension via about:debugging (or unzip it and do: web-ext run).
   (The extension opens example.com, loads a data:-URI)
3. Look at the bottom of the frame and the bottom of the page.

Expected result:
- "This is injected by a content script at a data:-URL" in the frame.
- "This is injected by a content script at a https:-URL" in top-level document.

Actual result:
- (frame not modified)
- "This is injected by a content script at a https:-URL" in top-level document.

- Visit about:config and set security.data_uri.unique_opaque_origin to false, and then you will see the expected behavior.


10 months ago
Priority: -- → P2

Comment 9

10 months ago
bug 1417975 notes that data: URIs work from iframe src, but not from location bar, object tag, or frameset frame tags

Comment 10

10 months ago
In my tests it also does not work in iframes. I think something was changed there in the meantime.


10 months ago
See Also: → 1411641
You need to log in before you can comment on or make changes to this bug.