Closed Bug 1739587 Opened 4 years ago Closed 3 years ago

JavaScript execution order is broken. Extensions are unable to run injected page scripts at document_start (before all page scripts).

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 92
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: indigotime, Unassigned)

References

Details

Attachments

(2 files)

BadExecutionOrder.xpi
1.68 KB, application/x-xpinstall
Details
BadExecutionOrder.xpi (scripts loaded with async=false)
1.71 KB, application/x-xpinstall
Details
Attached file BadExecutionOrder.xpi

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

I made an extension that need to run custom page script before all other page scripts. Then, I discovered that injected script is always executed after inline page scripts.
Then, I made a sample extension that proves this bug. It injects 3 scripts in the following order:

  1. inline script 1
  2. script src=moz-extension://... (extension script loaded from web accessible url )
  3. inline script 2

Actual results:

Inline scripts always run before extension injected script (script src=moz-extension://),

My sample extension sows that scripts injected in the following order

  1. inline script 1
  2. script src=moz-extension://... (extension script loaded from web accessible url )
  3. inline script 2
    runs in the following order
  4. inline script 1
  5. inline script 2
  6. script src=moz-extension://... (extension script loaded from web accessible url )

Potentially, some page scripts (anti-adblock, anti-privacy, anti-anti-fingerprint, etc) may prevent execution of extension scripts.

This is a CRITICAL problem, because extension developers can't rely on inline script injection (injected inline scripts may be easily blocked by CSP).

Expected results:

Extensions injected scripts must not wait for inline page scripts.

Scripts must be executed in the order they are requested, not the order they finish loading.

Able to reproduce this bug on latest on Firefox 92, Firefox 56 and latest Firefox Dev
Probably it's related to https://bugzilla.mozilla.org/show_bug.cgi?id=694940

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
See Also: → 694940

Bugbot is wrong, this is not a "DOM: Security" bug. If you can reproduce this with a non-webextension script then it's "DOM: Core & HTML" like bug 694940. If it's only moz-extension:// scripts then this goes in the "Webextensions" product.

Flags: needinfo?(indigotime)
Component: DOM: Security → Untriaged
Product: Core → WebExtensions

This bug report is invalid.

The observed behavior is expected and normal; inline scripts are executed immediately, and external scripts (<script src>) are loaded and executed asynchronously.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(indigotime)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: