Open
Bug 1622986
Opened 4 years ago
Updated 1 year ago
Accept `data:`-URLs in various places in the extension API framework
Categories
(WebExtensions :: General, defect, P3)
WebExtensions
General
Tracking
(Not tracked)
NEW
People
(Reporter: robwu, Unassigned)
References
(Blocks 2 open bugs)
Details
data:
-URIs are currently rejected in many of our WebExtension APIs, with the error
Error: Illegal URL: data:,etc.
This is because the check at ExtensionCommon.checkLoadURL
relies on nsScriptSecurityManager::CheckLoadURIWithPrincipal
, which throws NS_ERROR_DOM_BAD_URI
for data:-URIs. Consequently, other consumers of this method in our framework fail to accept data:
-URIs:
- Users of
checkLoadURL
: https://searchfox.org/mozilla-central/search?q=checkLoadURL - Including schemas that use the "url" format.
- Including schemas that use the "relativeUrl" format and derivates such as the
homePageUrl
format.
In order to support data:
-URLs, we need to:
- Check on a case-by-case basis whether we want to allow
data:
-URLs for all (direct and indirect) uses ofcheckLoadURL
, and treat them differently if needed (e.g. using a new format). - Decide whether we want to always allow
data:
-URL loads, or only whensecurity.data_uri.unique_opaque_origin
is true (which is the case by default). I'm in favor of the former, provided that all loads are using the null principal even if that pref isfalse
. We should have unit tests regardless, that verifies that thedata:
-URL can be loaded and that the extension principal is not inherit. - Fix
checkLoadURL
so it acceptsdata:
-URLs. There are multiple approaches: We can either add an explicit check for data:-URLs toExtensionCommon.checkLoadURL
, or addURI_LOADABLE_BY_EXTENSIONS
tonsDataHandler::GetProtocolFlags
.
Reporter | ||
Updated•4 years ago
|
Priority: -- → P3
Comment 1•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3
(Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3
(normal.)
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•