Open Bug 1552715 Opened 6 years ago Updated 2 years ago

webRequest.onBeforeRequest redirect to data:text/html gets blocked

Categories

(WebExtensions :: Request Handling, enhancement, P3)

Product:
WebExtensions
Component:
Request Handling
Version:
66 Branch
Type:
enhancement

Tracking

(firefox67 affected, firefox68 affected, firefox69 affected)

Tracking Flags:
Tracking Status
firefox67 --- affected
firefox68 --- affected
firefox69 --- affected

People

(Reporter: lidel, Unassigned)

References

Details

Attachments

(1 file)

data-url-redirect-issue.zip
1.20 KB, application/zip
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

Used webRequest.onBeforeRequest to redirect HTTP request to data URL of an HTML page.

Actual results:

Request got blocked due to "security.data_uri.block_toplevel_data_uri_navigations" protection.

I attach simple browser extension that demonstrates the problem by registering redirect to data URL and then opening matching URL in a new tab to trigger a redirect in onBeforeRequest.

Error should be visible in Browser Console.
Additional screenshots can be found at: https://github.com/ipfs-shipyard/ipfs-companion/issues/723

Expected results:

I imagine "security.data_uri.block_toplevel_data_uri_navigations" protection should not block redirects done via WebExtension APIs, as extension code is already screened as a part of AMO review.

The issue can be reproduced on the latest Release version (67.0 – 64 bit, in addition to the 66.05 - 64 bit Release version), Beta (68.0b3 – 64 bit) and Nightly (69.0a1 – 64 bit) by following the above STR under ‘Ubuntu16.04 LTS’, ‘Windows 10 Pro 64-bit’ and ‘macOS High Sierra 10.13.6’.

Status: UNCONFIRMED → NEW
status-firefox67: --- → affected
status-firefox68: --- → affected
status-firefox69: --- → affected
Ever confirmed: true

My understanding from some cursory reading is that we purposely do not allow top level redirects like this, but specifically allowed subrequest redirects.

Bug 1434357 added a flag to allow data urls in a webRequest redirect, but it only tests a subrequest.
Bug 1380959 adds the pref to prevent top level redirects, probably for good reason, but lets get input from Christoph.

Flags: needinfo?(ckerschb)
See Also: → 1434357, 1380959
Type: defect → enhancement

Could we get a good use case?

Flags: needinfo?(lidel)

(In reply to Shane Caraveo (:mixedpuppy) from comment #2)

My understanding from some cursory reading is that we purposely do not allow top level redirects like this, but specifically allowed subrequest redirects.

Bug 1434357 added a flag to allow data urls in a webRequest redirect, but it only tests a subrequest.
Bug 1380959 adds the pref to prevent top level redirects, probably for good reason, but lets get input from Christoph.

Sorry for the lag. As far as the problem goes, we explicitly added a carveout for extensions which allows insecure redirects to a data: URI within Bug 1434357. I am wondering what uBlock is doing differently so they are hitting that codepath [1] which greenlights the redirect. Probably we could/should update that codepath as well and set the allowInsecureRedirectToDataURI for that codepath as well.

[1] https://hg.mozilla.org/integration/mozilla-inbound/rev/416adbc7c8e7#l13.11

Flags: needinfo?(ckerschb)

(In reply to Shane Caraveo (:mixedpuppy) from comment #3)

Could we get a good use case?

  • Generic
    • Improve UX by redirecting requests known to take long time to ephemeral "loading" screen that works the same across all vendors
    • Enable offline preview for HTML authoring in WebExtension Context that does not require 3rd party service
  • Specific to ipfs-companion extension:
    • display a loading screen when content discovery takes too long (DHT warmup etc)
    • return HTML pages fetched from IPFS without the need for running HTTP Gateway as a separate localhost app
Flags: needinfo?(lidel)

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)

(In reply to Shane Caraveo (:mixedpuppy) from comment #2)

My understanding from some cursory reading is that we purposely do not allow top level redirects like this, but specifically allowed subrequest redirects.

Bug 1434357 added a flag to allow data urls in a webRequest redirect, but it only tests a subrequest.
Bug 1380959 adds the pref to prevent top level redirects, probably for good reason, but lets get input from Christoph.

Sorry for the lag. As far as the problem goes, we explicitly added a carveout for extensions which allows insecure redirects to a data: URI within Bug 1434357. I am wondering what uBlock is doing differently so they are hitting that codepath [1] which greenlights the redirect. Probably we could/should update that codepath as well and set the allowInsecureRedirectToDataURI for that codepath as well.

Christoph, are you suggesting we check the allow flag here?

https://searchfox.org/mozilla-central/rev/f8b11433159cbc9cc80500b3e579d767473fa539/dom/security/nsContentSecurityManager.cpp#48

Flags: needinfo?(ckerschb)

(In reply to Shane Caraveo (:mixedpuppy) from comment #6)

Christoph, are you suggesting we check the allow flag here?

https://searchfox.org/mozilla-central/rev/f8b11433159cbc9cc80500b3e579d767473fa539/dom/security/nsContentSecurityManager.cpp#48

Yes, basically do:
// Web Extensions are exempt from that restriction and are allowed to redirect
// a channel to a data: URI. When a web extension redirects a channel, we set
// a flag on the loadInfo which allows us to identify such redirects here.
if (loadInfo->GetAllowInsecureRedirectToDataURI()) {
return true;
}

which hopefully does the trick, but I would imagine the redirect goes through:
https://searchfox.org/mozilla-central/source/toolkit/components/extensions/webrequest/WebRequest.jsm#846

which would set the flag.

Flags: needinfo?(ckerschb)

@Marcin Rataj,

Have you entertained just opening an extension page instead of redirecting outright?

That is, block the network request and instead load your extension page using browser.tabs.update(...) with whatever query parameters needed to
configure the rendering of the page.

An example of such technique is used in uBlock Origin to warn a user before loading a navigated-to web page.

Given that there are other mechanisms that can be used to achieve the same, a) I see no reason we shouldn't do this, and b) it's not a P1 but it's simple so we should get it done sooner than later. P2 it is.

Priority: -- → P2

(In reply to rhill@raymondhill.net from comment #8)

@Marcin Rataj,

Have you entertained just opening an extension page instead of redirecting outright? [..]

Good idea, should be good enough for our loading screen. Thanks!

(In reply to Shane Caraveo (:mixedpuppy) from comment #9)

Given that there are other mechanisms that can be used to achieve the same[..]

There are some interesting properties of data:text/html, that make them useful, eg. when we don't want to run third party JS in the context of extension's background page. dataURL will have window.location.origin equal "null", removing some risks.
But I agree, its a niche use, so low priority.

Would be nice to fix, but not a high priority.

Priority: P2 → P3

Wasn't this already fixed on bug 1434357 (see https://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityManager.cpp#147-152)
I still can't redirect to data URIs using webRequest.onBeforeRequest.

We don't have test coverage for redirects to data:-URLs, except for scripts at https://searchfox.org/mozilla-central/rev/27932d4e6ebd2f4b8519865dad864c72176e4e3b/toolkit/components/extensions/test/xpcshell/test_ext_file_access.js#157-170

Consequently, there is unfortunately no guarantee that it works, or continues to work.
A new unit test is added to test redirects to data:-URLs for font files in bug 1645683, but that's still not everything.

See Also: → 1645683
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: