Open Bug 1579790 Opened 5 months ago Updated 5 months ago

Investigate possible restriction for "WebDriver:Get" for certain about:* pages in content scope

Categories

(Testing :: Marionette, enhancement, P3)

Version 3
enhancement

Tracking

(Not tracked)

People

(Reporter: whimboo, Unassigned)

References

(Blocks 1 open bug)

Details

Via https://github.com/mozilla/geckodriver/issues/1610 I noticed that people are navigating to eg about:preferences to change settings, or trigger actions while still staying in content scope.

I find that this shouldn't be doable by default. Access to privileged about pages should also require some special privileges for the Marionette's content scope.

To not adding more complexity we could also change the chrome scope behavior, and do no longer raise an exception for WebDriver:Get, but also use the currently selected top-browsing context for navigation, which would allow to navigate to privileged about pages.

We would need a white-list of about pages accessible by the content scope navigation requests.

As of now I don't know how much security related that is. Andreas, what do you think?

Flags: needinfo?(ato)

Whereby interacting with elements would still have to go through the content context.

Note that a script can actually escape the focus from the content tab, and let it access chrome elements. See https://github.com/mozilla/geckodriver/issues/1610 for more details.

OperaDriver had a restriction on visting privileged browser resources,
such as opera:debug and opera:preferences.

I sought to implement this in Marionette about six years ago, but
it was met with resistance from the then-maintainer of Marionette.

(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #0)

To not adding more complexity we could also change the chrome
scope behavior, and do no longer raise an exception for
WebDriver:Get, but also use the currently selected top-browsing
context for navigation, which would allow to navigate to
privileged about pages.

Not sure if I understood this, but it’s perfectly reasonable
to allow navigation to about:* within chrome context.

Blocks: 1355883
Type: task → enhancement
Flags: needinfo?(ato)
Priority: -- → P3

(In reply to Andreas Tolfsen 「:ato」 from comment #2)

Not sure if I understood this, but it’s perfectly reasonable
to allow navigation to about:* within chrome context.

In Chrome context we do not allow any kind of navigation, because the browser context would be the chrome window. It means any navigation would result in a broken window. So as best completely drop that part of my suggestion.

For the record I can see valid use cases for wanting to write Firefox
chrome tests for the likes of about:preferences and about:addons
with Marionette, but it may be that this not a current priority.

It is possible to concieve that WebDriver:Navigate could be tweaked
to navigate the content browser in this particular case. From my
recollection it currently returns an error because navigation in
chrome context is currently not supported.

A second point relating to the original question of navigation to
about:* in content context is that we already make quite extensive
use of this in unit tests because some of them trigger special
behaviour in Gecko (such as about:robots):
https://searchfox.org/mozilla-central/search?q=about%3A&path=testing%2Fmarionette

(In reply to Andreas Tolfsen 「:ato」 from comment #4)

A second point relating to the original question of navigation to
about:* in content context is that we already make quite extensive
use of this in unit tests because some of them trigger special
behaviour in Gecko (such as about:robots):
https://searchfox.org/mozilla-central/search?q=about%3A&path=testing%2Fmarionette

We mostly use them to not trigger a remoteness change. Tests might go away anyway in the future.

But yes, that bug is lower priority. I just wanted to have it logged for investigation and solution finding.

Yes, I was just moderating my earlier statement that this should
apply to all about:*. But I think this is captured nicely in
your bug description by “certain about:* pages” (my emphasis).

It is quite likely we will need a blacklist/whitelist. Note in the
earlier grep I did of the source code, we encode references to
particular about: pages randomly throughout the source code. It
would be beneficial to centralise that in a single black-/whitelist.

You need to log in before you can comment on or make changes to this bug.