Open Bug 1622986 Opened 4 years ago Updated 1 year ago

Accept `data:`-URLs in various places in the extension API framework

Categories

(WebExtensions :: General, defect, P3)

defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

(Blocks 2 open bugs)

Details

data:-URIs are currently rejected in many of our WebExtension APIs, with the error

Error: Illegal URL: data:,etc.

This is because the check at ExtensionCommon.checkLoadURL relies on nsScriptSecurityManager::CheckLoadURIWithPrincipal, which throws NS_ERROR_DOM_BAD_URI for data:-URIs. Consequently, other consumers of this method in our framework fail to accept data:-URIs:

In order to support data:-URLs, we need to:

  • Check on a case-by-case basis whether we want to allow data:-URLs for all (direct and indirect) uses of checkLoadURL, and treat them differently if needed (e.g. using a new format).
  • Decide whether we want to always allow data:-URL loads, or only when security.data_uri.unique_opaque_origin is true (which is the case by default). I'm in favor of the former, provided that all loads are using the null principal even if that pref is false. We should have unit tests regardless, that verifies that the data:-URL can be loaded and that the extension principal is not inherit.
  • Fix checkLoadURL so it accepts data:-URLs. There are multiple approaches: We can either add an explicit check for data:-URLs to ExtensionCommon.checkLoadURL, or add URI_LOADABLE_BY_EXTENSIONS to nsDataHandler::GetProtocolFlags.
Priority: -- → P3

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3
See Also: → 1696174
You need to log in before you can comment on or make changes to this bug.