Closed Bug 1760608 Opened 2 years ago Closed 2 years ago

Browser action and page action popups should only permit relative (extension) URLs and not remote URLs

Categories

(WebExtensions :: General, task, P2)

Product:
WebExtensions
Component:
General
Type:
task

Tracking

(firefox106 fixed)

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox106 --- fixed

People

(Reporter: robwu, Assigned: rpl)

References

(Blocks 1 open bug)

Details

(Whiteboard: [mv3-m2])

Attachments

(3 files)

Bug 1760608 - Restrict actions API setPopup urls allowed for MV3 extensions. r?mixedpuppy!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1760608 - Fix and reenable GeckoView ExtensionActionTest.testOpenPopup. r?#geckoview-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1760608 - Restrict MV2 pageAction/browserAction setPopup to same extension urls on GeckoView. r?mixedpuppy!,#geckoview-reviewers!
48 bytes, text/x-phabricator-request
Details | Review

As seen in bug 1758922, it is currently possible to specify a http(s) URL as the default_popup or popup option in the page_action / browser_action / action APIs.

We should limit this to extension URLs only, and at the very least enforce this for MV3 extensions.

E.g. in the browser_action API definition, default_popup is defined to be relativeUrl (instead of strictRelativeUrl):
https://searchfox.org/mozilla-central/rev/f8db81665dc2833fff09dc7eef200539ac1fd351/toolkit/components/extensions/schemas/browser_action.json#32

In the browserAction.setPopup method, we may consider allowing absolute extension URLs if it is the same moz-extension:-URL as the extension itself.

See Also: → 1758922
Blocks: manifest-v3
Whiteboard: [mv3-m2]
See Also: → 1771391
Severity: -- → N/A
Priority: -- → P2
Assignee: nobody → lgreco
Status: NEW → ASSIGNED

This patch fixes a pre-existing "setPopup + openPopup" GeckoView test case that was apparently disable
because it was failing intermittently.

While trying to run it locally I noticed that the test was getting stuck because there is no
tab delegate that would be allowing the test extension to update the current tab from
http://example.com to the extension page that was meant to be triggering the openPopup API call.

Loading the extension page using mainSession.loadUrl seems to be making the test able to fully
run and pass.

It is possible that the test case was originally working but got broken while it started to be ignored,
the test was missing to await for the setPopup call to be fully handled and that may have been likele
a source of intermittent failures over a larger number of runs.

Depends on D154547

This patch extends restricts setPopup to extension url to MV2 extensions running on GeckoView.

Depends on D154548

Pushed by luca.greco@alcacoop.it:
https://hg.mozilla.org/integration/autoland/rev/5f0091c3b617
Restrict actions API setPopup urls allowed for MV3 extensions. r=mixedpuppy
https://hg.mozilla.org/integration/autoland/rev/9c27270397ea
Fix and reenable GeckoView ExtensionActionTest.testOpenPopup. r=geckoview-reviewers,ohall
https://hg.mozilla.org/integration/autoland/rev/26965dd3b9d9
Restrict MV2 pageAction/browserAction setPopup to same extension urls on GeckoView. r=mixedpuppy,geckoview-reviewers,owlish

https://hg.mozilla.org/mozilla-central/rev/5f0091c3b617
https://hg.mozilla.org/mozilla-central/rev/9c27270397ea
https://hg.mozilla.org/mozilla-central/rev/26965dd3b9d9

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: