Closed Bug 1745566 (CVE-2022-22761) Opened 3 years ago Closed 3 years ago

"frame-ancestors" CSP directive not enforced for framed extension pages


(WebExtensions :: General, defect, P2)



(firefox-esr9197+ fixed, firefox95 wontfix, firefox96 wontfix, firefox97+ fixed)

97 Branch
Tracking Status
firefox-esr91 97+ fixed
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 + fixed


(Reporter: dveditz, Assigned: robwu)



(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main97+][adv-esr91.6+])


(2 files)

Mart from Flowcrypt wrote the security alias to let us know that their WebExtension uses a CSP with a frame-ancestors directive, and that Firefox does not enforce it when web content frames one of their web-accessible extension pages. In contrast, Chrome does. This exposes their content to the risk of clickjacking.

Their CSP is:
upgrade-insecure-requests; script-src 'self'; frame-ancestors 'self'; img-src 'self' https://* data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'

It appears we intentionally limit frame-ancestor checks to HTTP channels,,905-907
but it seems quite a useful thing to do for web extensions also

Repro steps from the mail:

Steps to reproduce:
I have discovered this by accident while checking on how our firefox application behavior in the Firefox Web Browser v95.0 64. Our application's source code is used by both Chrome extension and Firefox addon via separate build so there shouldn't be much difference unless an inconsistency to the client software is present such as this one.

  1. To replicate the issue, download our app at

  2. Install them for both Chrome and Firefox browsers, the latest version is preferable.

  3. Consider the following PoC:

    data:text/html,<iframe src=$extension-uri$/chrome/elements/attachment_preview.htm

The $extension-uri$ may vary for example in Google Chrome browser, it uses chrome-extension://<id-of-extension> and moz-extension://<id-of-extension> for Firefox browser.

  1. Replace $extension-uri$ by the dedicated uri from each extension downloaded from
  2. Open the PoC link above for both Chrome and Firefox browsers and you will notice that the iframe is blocked in the chrome browser via CSP and the iframe on firefox browser is loaded.

Not sure if this should be a Web Extension bug (because it only affects Web Extensions) or moved to "DOM: Security" (because it's CSP)

Flags: needinfo?(mixedpuppy)
Flags: needinfo?(ckerschb)

An extension that declares a resource in web_accessible_resources should be prepared to deal with the web loading the resource.
It would be useful to support frame-ancestors in the CSP though.

We need to apply two CSPs, like we do here:,3680-3684

While that code is in DOM::Security, I'd keep this in WebExtensions::General since it only affects extensions and requires mostly extension-specific knowledge.

I'll take a stab at fixing this; seems pretty straightforward.

Assignee: nobody → rob
Flags: needinfo?(mixedpuppy)
Flags: needinfo?(ckerschb)
Severity: -- → S3
Priority: -- → P2
Keywords: sec-moderate

frame-ancestor support requires a CSP. While extensions can declare a
CSP for extension pages, the frame-ancestors directive was not enforced
because the implementation expected only HTTP channels.

This patch also adds support for channels from ExtensionProtocolHandler.

I'll land bug 1735856 first, to avoid undesired information leakage.

Depends on: CVE-2022-22745

Support frame-ancestors for web-accessible extension resources r=necko-reviewers,freddyb,dragana

Group: firefox-core-security → core-security-release
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

Hello Team,

I have tested it right now and it was no longer reproducible so I think it was fixed now (Firefox Web Browser Version 95.0.2).

May I know If this is eligible for a reward, CVE entry - security advisory such as, or, a Hall of Fame entry?

Mart Gil

I've set the bug flag so that its eligibility for a bounty can be evaluated at the next triage.

Flags: sec-bounty?

Given that we're already in RC week, it's probably too late for backports this cycle, but is this something we're eventually going to want on ESR for the next cycle? Also, let us know ASAP if you think this is something we should still aim to ship this cycle.

Flags: needinfo?(rob)
Flags: in-testsuite+

Comment on attachment 9255900 [details]
Bug 1745566 - Support frame-ancestors for web-accessible extension resources

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Extensions can override the default CSP for extension pages. The frame-ancestors CSP directive is usually used to stop pages from being embedded by third parties, and extension authors may expect the same for CSP directives of extension pages.
  • User impact if declined: Extensions opted in to web-accessible extension pages AND relied on enforced frame-ancestors may be susceptible to click jacking.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The number of extensions that specify a frame-ancestors CSP without expecting its enforcement is likely next to none.
Flags: needinfo?(rob)
Attachment #9255900 - Flags: approval-mozilla-esr91?
Flags: sec-bounty? → sec-bounty+

Comment on attachment 9255900 [details]
Bug 1745566 - Support frame-ancestors for web-accessible extension resources

Approved for 91.6esr.

Attachment #9255900 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main97+]
Attached file advisory.txt
Whiteboard: [post-critsmash-triage][adv-main97+] → [post-critsmash-triage][adv-main97+][adv-esr91.6+]
Alias: CVE-2022-22761
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.