fetch or XMLHttpRequest fails with WebExtension for http sites if HTTPS-Only is enabled even with site being exempt
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: feedbro.reader, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Steps to reproduce:
- Create a WebExtension with permission to access any http or https site
- Enable HTTPS-Only mode in Firefox (all windows)
- Open http://feeds.macrumors.com/MacRumors-All in a new tab
- Click the URL bar icon and set an exception that http://feeds.macrumors.com/MacRumors-All can be loaded despite HTTPS-Only mode
- Enter this command in the WebExtension Console:
fetch("http://feeds.macrumors.com/MacRumors-All").then(function(r) { return r.text(); }).then(function(txt) { console.log(txt); });
Actual results:
Firefox throws an error (and doesn't load the site):
Uncaught (in promise) TypeError: NetworkError when attempting to fetch resource.
Expected results:
Firefox should have loaded the site because there's a rule in place that the site should be loaded.
It looks like those user-defined site specific rules aren't applied to fetch or XMLHttpRequests?
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•4 years ago
|
||
Is this ONLY a problem in the Webextension Console, or are you just using that as a demonstration? I'm confident normal fetch/XHR in the web page should honor the exception. Is fetch/XHR broken in code running as part of a normal Web Extension (background script? content script?), or only in the console? I can easily believe all of those contexts might have subtle differences.
It's a problem when called in WebExtension background page.
Description
•