Extensions can't override integrity checks for subresources
Categories
(WebExtensions :: General, defect)
Tracking
(Not tracked)
People
(Reporter: jkt, Unassigned)
Details
Overview:
Firefox doesn't permit an extension to redirect to a local resource hosted within the extension if the resource has an SRI integrity attribute. This is required to provide user choice such as removing tracker banners or invalid warnings to the user without breaking the site.
This has come up in some of our site breakage where a website was doing the following:
let script = document.createElement('script');
script.onload = function() {
initWebsite()
};
script.onerror = function() {
alert("You shall not pass");
};
script.integrity = 'sha256-xjwKUY/NgkPjZZBOtOxRYtK20GaqTwUCf7WYCJ1z69w=';
script.crossOrigin = 'anonymous';
script.src = 'https://cdnjs.cloudflare.com/ajax/libs/fuckadblock/3.2.1/fuckadblock.min.js';
document.head.appendChild(script);
STR:
- Install https://addons.mozilla.org/en-GB/firefox/addon/duckduckgo-for-firefox/
- Go to: http://privacy-test-pages.glitch.me/privacy-protections/surrogates/
Actual results:
The test fails and the console contains the following error:
Failed to find a valid digest in the 'integrity' attribute for resource 'https://google-analytics.com/analytics.js' with computed SHA-256 integrity 'W7MQTBlQ7AcSERmsI4GYNsKy6kKOSY92wU+99GKTjSw='. The resource has been blocked.
Expected results:
"google-analytics.com/analytics.js broken integrity" to pass and no SRI warning in the console.
Note: The test purposefully uses an invalid SRI so it always fails when the extension isn't loaded.
Reporter | ||
Comment 1•3 years ago
|
||
Discovered Bug 1321916 which I remember seeing before. I'll move my comment there.
Description
•