Closed Bug 1664513 Opened 4 years ago Closed 4 years ago

Extensions shouldn't get access to topsites.services.mozilla.com

Categories

(WebExtensions :: Request Handling, enhancement)

Product:
WebExtensions
Component:
Request Handling
Type:
enhancement
Points:
1

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mikedeboer, Assigned: mikedeboer)

References

Details

Currently WebExtensions can attach content scripts to topsites.services.mozilla.com and listen to traffic using the webRequest API. That means an extension could intercept your user name and password for that site.

We should add this domain to the extensions.webextensions.restrictedDomains pref.

Assignee: nobody → mdeboer
No longer blocks: 1357856, 1425197, 1443073
Points: --- → 1
No longer depends on: 1445714, 1450649, 1476570
Keywords: csectype-priv-escalation, sec-moderate
Summary: Should extensions get access to accounts.firefox.com → Extensions shouldn't get access to topsites.services.mozilla.com
Whiteboard: [adv-main60+][post-critsmash-triage]

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: General → Request Handling

How is that different from any other website that has a login form?

I don't think we should add more sites to that pref. Data can be retrieved using other ways, and legitimate add-ons (like password managers) don't work, which is an inconvenience for user that can also impact their safety, if they have to type/fill credentials manually.

Flags: needinfo?(mdeboer)

topsites.services.mozilla.com is a service internal to Mozilla that is essential in making sure we monetize clicks on sponsored Top Site tiles and sponsored searches.
Anything we allow to tamper with these request will have an impact on our revenue.

Flags: needinfo?(mdeboer)

I don't think that warrants a blank ban of that domain for webextensions. Domains like google.com also affect our revenue and we don't restrict those either.

Are there any add-ons that tamper with requests to the topsites domain? We should evaluate them and see what their use case is. We could also look into flagging add-ons for review that request access to that domain.

It is not exactly clear from this bug what topsites is, and how it functions with regards to usernames, passwords and cookies.

(In reply to Mike de Boer [:mikedeboer] from comment #0)

That means an extension could intercept your user name and password for that site.

Who is expected to have a username/password on this website? Is this a significant portion of our users?

Flags: needinfo?(mdeboer)

Clearing priority because we never saw this bug in our triage.

Severity: normal → --
Priority: P2 → --

Why isn't this just a system request? I only see XHR/Fetch requests in JSM files, I don't understand how a content script could be attached to those requests. This needs more information.

Yeah, I think we can resolve this as invalid, since we can turn this into a system request.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(mdeboer)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.