DarkReader is able to modify CSS of another extension
Categories
(WebExtensions :: General, defect)
Tracking
(Not tracked)
People
(Reporter: mozilla.bxw46, Unassigned)
Details
Attachments
(1 file)
|
11.95 KB,
image/png
|
Details |
Todoist appearance with Dark Reader enabled
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
Steps to reproduce:
- Install the DarkReader and Todoist Firefox extensions
- Open Todoist
Actual results:
DarkReader restyles Todoist's popover (see https://github.com/darkreader/darkreader/issues/6849 for additional details).
Expected results:
Todoist's popover is unaffected.
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::CSS Parsing and Computation' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Updated•3 years ago
|
Hello,
I tried to reproduce this on latest FF104, but in my case on Windows Todoist is not affected by Dark Reader.
We also checked in Ubuntu 22.04, with the same results. I will attach a screenshot with my Todoist appearance.
Please let us know if any other extra step is needed.
Thanks.
Victor
|
||
Comment 4•3 years ago
|
||
If I open the extension in it's own tab (moz-extension://e8ec2be2-729d-42e8-a284-4a9b68d155f4/popup.html), it works and Dark Reader doesn't affect it. And your screenshot looks like you did exactly that (as it has a lot of white around it)? But if I open the Todoist extension from the top-right as a popover-menu as it's intended to be used, it gets affected by Dark Reader.
The extensions seams to only load an iframe with todoist.com, but I even have that domain disabled in Dark Reader, but it still gets affected when loading the extensions through the button at the top-right. Also, if I allow Dark Reader to affect todoist.com, it still doesn't affect the extension being loaded in a tab (as that's probably what should be expected when extensions should be able to modify other extensions?). But Dark Reader is able to affect what is loaded in the iframe when extensions get loaded as a popover from the top-right.
|
||
Comment 5•3 years ago
|
||
I'm able to reproduce this issue on FF104 on both Windows 11 and Linux (Arch).
I have todoist.com blacklisted from Dark Reader. On todoist.com, Dark Reader isn't being applied (expected behavior), but on the extension, Dark Reader is clearly being used.
|
||
Comment 6•3 years ago
|
||
This is working as intended from Firefox's perspective.
Extensions are not able to modify the content of moz-extension:-documents.
Todoist however loads a remote frame in their extension panel.
Extensions can run content scripts in web content, and also modify styles.
I note that Chrome behaves differently here: extensions are not able to run scripts in chrome-extension: documents of other extensions, but only their own (this is not just in extension popups, but also new tabs).
|
Reporter | |
Comment 7•3 years ago
|
||
(In reply to Rob Wu [:robwu] from comment #6)
This is working as intended from Firefox's perspective.
I'd like to push back on the rational behind "working as intended."
Todoist however loads a remote frame in their extension panel.
Yes, this is true, however the remote frame is processed differently than the actual web content it shows. i.e. "open this frame in a new tab" and you'll see a completely different result.
I note that Chrome behaves differently here: extensions are not able to run scripts in
chrome-extension:documents of other extensions, but only their own (this is not just in extension popups, but also new tabs).
This seems like the correct behavior. Especially for non-technical users, an extension being able to modify something that's in effect, part of another extension's UI is IMO very broken. Imagine if this was affecting an about: page or some part of the core Firefox UI. Extension developer's UIs shouldn't be "second class" in being protected from modification from other extensions.
Furthermore, this is anything but desirable behavior as DarkReader A) needs special logic for Firefox B) this is a very subtle behavior that hasn't been thought about, fixed, or addressed. That's in the context of a highly reputable extension developer and an AMO "Recommended" extension.
Description
•