Closed Bug 1773115 Opened 2 years ago Closed 2 years ago

MV3 - specifying resource in "web_accessible_resources" prevents it's usage inside addon pages

Categories

(WebExtensions :: Untriaged, defect, P2)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 103
Type:
defect

Tracking

(firefox-esr91 wontfix, firefox-esr102 disabled, firefox101 disabled, firefox102 disabled, firefox103 disabled, firefox104 disabled, firefox105 verified)

Status:
VERIFIED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- disabled
firefox101 --- disabled
firefox102 --- disabled
firefox103 --- disabled
firefox104 --- disabled
firefox105 --- verified

People

(Reporter: juraj.masiar, Assigned: mixedpuppy)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [addons-jira])

Attachments

(5 files)

broken_web_accessible_resources.zip
8.07 KB, application/x-zip-compressed
Details
2022-06-09_10h19_57.png
13.46 KB, image/png
Details
Bug 1773115 ensure extension access to its own web accessible resources
48 bytes, text/x-phabricator-request
Details | Review
2022-08-03_10h09_45.png
17.20 KB, image/png
Details
Bug 1773115 fix extension global matching for web accessible resources
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

  1. using Nightly with allowed MV3 extensions
  2. extract and load attached extension.
    If you have web-ext installed, you can use this command:
web-ext run --firefox=firefoxdeveloperedition --pref=extensions.manifestV3.enabled=true
  1. open popup

Actual results:

Only one image is visible.

Expected results:

There should be two images.
Somehow, by specifying image "128.png" in the web_accessible_resources list will break it's usage in the addon:

  "web_accessible_resources": [
    {
      "resources": [
        "128.png"
      ],
      "matches": [ "*://*/*" ]
    }
  ],

Hello,

I reproduced the issue on the latest Nightly (103.0a1/20220608214824), Beta (102.0b5/20220607212916) and Release (101.0/20220526203855) under Windows 10 x64 and Ubuntu 16.04 LTS.

After loading the extension and opening the add-on pop-up, only one image is visible, as described in Comment 0.

For more details, see the attached screenshot.

Status: UNCONFIRMED → NEW
status-firefox101: --- → affected
status-firefox102: --- → affected
status-firefox103: --- → affected
Ever confirmed: true
Attached image 2022-06-09_10h19_57.png

We should probably skip the web-accessible check if the requesting principal represents the same extension at the matched WebExtensionPolicy.

E.g. checking if aURI is a moz-extension:-URL and its host name is the same as mHostname in https://searchfox.org/mozilla-central/rev/28ed523a3ed5dbf5f6b008cf1e28a9e8a8597b5e/toolkit/components/extensions/WebExtensionPolicy.h#119-129

Assignee: nobody → mixedpuppy
Severity: -- → S3
Keywords: regression
Priority: -- → P2
Regressed by: 1697334
Whiteboard: [addons-jira]

Set release status flags based on info from the regressing bug 1697334

status-firefox-esr91: --- → affected
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 1697334

status-firefox104: --- → affected
status-firefox-esr102: --- → affected
Pushed by scaraveo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/703c909eb009
ensure extension access to its own web accessible resources r=rpl
Pushed by scaraveo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1aa5ec22f47a
ensure extension access to its own web accessible resources r=rpl

I am not sure, but I think this https://hg.mozilla.org/integration/autoland/rev/1aa5ec22f47a1aeccb4b0a1ff678d03b3cf26185#l1.12 might be wrong. To me this reads like any URL can access the resource. I think we first need to verify if aURI is an extension by looking up the policy.

Flags: needinfo?(mixedpuppy)

https://hg.mozilla.org/mozilla-central/rev/1aa5ec22f47a

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox105: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch

Verified the fix on the latest Nightly (105.0a1/20220802214455) under Windows 10 x64 and Ubuntu 16.04 LTS.

After loading the extension and opening the add-on pop-up, both images are visible, confirming the fix.

For a second confirmation of the issue being fixed on Nightly 105, the same STR have been performed on the latest Beta (104.0b5/20220802185803), the issue still occurring there.

For more details, see the attached screenshot.

Status: RESOLVED → VERIFIED
status-firefox105: fixedverified
Attached image 2022-08-03_10h09_45.png

Reopening for a followup patch

Status: VERIFIED → REOPENED
Flags: needinfo?(mixedpuppy)
Resolution: FIXED → ---
Pushed by scaraveo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/46e636e428ea
fix extension global matching for web accessible resources r=rpl

https://hg.mozilla.org/mozilla-central/rev/46e636e428ea

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED

Re-verified the fix on the latest Nightly (105.0a1/20220809213127) using the original STR and example extension.

Opening the add-on pop-up still reveals both images as visible, as in the previous verification. No negative impact due to the follow up patch.

Status: RESOLVED → VERIFIED
No longer regressions: 1786564
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: