Open Bug 1622986 Opened 5 years ago Updated 1 year ago

Accept `data:`-URLs in various places in the extension API framework

Categories

(WebExtensions :: General, defect, P3)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

(Blocks 2 open bugs)

Details

data:-URIs are currently rejected in many of our WebExtension APIs, with the error

Error: Illegal URL: data:,etc.

This is because the check at ExtensionCommon.checkLoadURL relies on nsScriptSecurityManager::CheckLoadURIWithPrincipal, which throws NS_ERROR_DOM_BAD_URI for data:-URIs. Consequently, other consumers of this method in our framework fail to accept data:-URIs:

In order to support data:-URLs, we need to:

  • Check on a case-by-case basis whether we want to allow data:-URLs for all (direct and indirect) uses of checkLoadURL, and treat them differently if needed (e.g. using a new format).
  • Decide whether we want to always allow data:-URL loads, or only when security.data_uri.unique_opaque_origin is true (which is the case by default). I'm in favor of the former, provided that all loads are using the null principal even if that pref is false. We should have unit tests regardless, that verifies that the data:-URL can be loaded and that the extension principal is not inherit.
  • Fix checkLoadURL so it accepts data:-URLs. There are multiple approaches: We can either add an explicit check for data:-URLs to ExtensionCommon.checkLoadURL, or add URI_LOADABLE_BY_EXTENSIONS to nsDataHandler::GetProtocolFlags.
Priority: -- → P3

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3
See Also: → 1696174

The security.data_uri.unique_opaque_origin pref got removed in bug 1552168, so data:-URIs can only have null principals.

Web content can ordinarily not navigate to data:-URLs at the top level (introduced in bug 1331351, but they can in iframes!). And users can still navigate to data:-URLs, e.g. through the address bar or a bookmark.

I'm inclined to not add data:-URL support to tabs.create / tabs.update since browsers are trying to discourage top-level data:-URLs. But data:-URLs in downloads should be fine (e.g. bug 1696174).

You need to log in before you can comment on or make changes to this bug.