ExtensionPageContextParent's principal may differ from the ExtensionPageContextChild's principal (missing origin attributes)
Categories
(WebExtensions :: General, defect, P2)
Tracking
(Not tracked)
People
(Reporter: robwu, Assigned: zombie)
References
(Blocks 1 open bug)
Details
ExtensionPageContextChild
has a principal
that is based on the contentWindow with which it's associated.
ExtensionPageContextParent
's principal is extension.principal
, which does not have any origin attributes.
This difference is the root cause of bug 1649463, where the downloads.download
API is unable to download a blob:-URL from an extension page with custom origin attributes:
- The child side validates whether an extension can access the URL via the
url
schema type, which passes because ablob:
-URL created in the extension page has the same origin attributes as the page. - When
loadingPrincipal
is set (which is the case in thedownloads.download
API since bug 1579911), the downloads implementation checks whether the URL can be loaded by the given principal, and otherwise refuses the request.blob:
-URLs have an associated principal, and can only be loaded by same-origin principals. Unlike the child, theprincipal
at the parent's side doesn't have origin attributes, so the principal of the blob and the extension principal are considered cross-origin and the download fails.
To fix this issue, the ExtensionPageContextParent
should have the same principal
as the child's. This may impact APIs in the main process that use the context principals:
context.principal
are mostlytriggeringPrincipal
. Only thedownloads
API usesloadingPrincipal
.- The
sandbox
ofProxyContextParent
usesthis.principal
. This is used by thecontentScripts.register
API implementations (for which I haven't checked the impact of changing the origin attributes).
Changing principal
may cause unexpected regressions, so this change cannot be uplifted, so bug 1649463 will be fixed independently of this.
Assignee | ||
Comment 1•4 years ago
|
||
This could be a problem, though we don't know if it actually affects anything now.
Reporter | ||
Comment 2•2 years ago
|
||
I sketched the implementation plan at https://bugzilla.mozilla.org/show_bug.cgi?id=1747283#c3
Note: there is a comment that references this bug at https://searchfox.org/mozilla-central/rev/7271a078fa0c1b858a52614ea60ac82fdd8b3d23/toolkit/components/extensions/parent/ext-downloads.js#961-972.
After fixing this bug, we could address that comment.
Description
•