Open Bug 1788524 Opened 3 years ago Updated 3 years ago

Extensions cannot access images from dynamic themes

Categories

(WebExtensions :: General, defect, P3)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned)

References

Details

In bug 1711168, we started to restrict access of extensions to moz-extension:-URLs from other extensions, unless explicitly listed in web_accessible_resources. There was an exception for tabs.create, tabs.update and windows.create because these were thought to be too common to break.

In bug 1786564, another use case appeared: extensions can use the browser.theme.getCurrent() API to retrieve the theme, and try to display images from the theme. That bug will be fixed for static themes (https://bugzilla.mozilla.org/show_bug.cgi?id=1786564#c8), but possibly not for dynamic themes.

An extension can dynamically update the theme with theme.update, and if an image is set there, the image can no longer be loaded by another extension that reads the theme with theme.getCurrent().

A relevant observation is that the theme.getCurrent() API is not designed for use with extension images from other extensions (bug 1618563). There are multiple ways to fix this bug, e.g.:

  • extensions can list their images in web_accessible_resources.
    • Downside is that web content can then read the resources too.
  • extensions can pass a data:-URL with a PNG or JPEG.
    • Dowside is potentially large data:-URLs, and that other image types are not supported (bug 1491790).
  • We can relax the check from bug 1711168
  • We change the output of the theme.getCurrent() API, as explained at https://bugzilla.mozilla.org/show_bug.cgi?id=1786564#c5.

I'm not entirely certain of the value in pursuing this. theme.getCurrent does not require a permission currently. So it's not likely that both a dynamic theme addon would be any better served than by defining the images it wants accessible as a web accessible resource in MV3 using the extensions option. This is getting to an edge case where some complicated effort (after figuring out the static theme side) may not be justified by actual scenarios where this is an issue. So I am leaning towards documentation and lets see how it goes.

The severity field is not set for this bug.
:robwu, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(rob)
Severity: -- → S4
Priority: -- → P3
Flags: needinfo?(rob)
You need to log in before you can comment on or make changes to this bug.