Closed Bug 1794427 Opened 2 years ago Closed 2 years ago

MV2 extensions might already have access to a page via <all_urls> content scripts

Categories

(WebExtensions :: General, defect, P1)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(firefox108 fixed)

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox108 --- fixed

People

(Reporter: willdurand, Assigned: zombie)

References

(Blocks 1 open bug)

Details

(Whiteboard: [addons-jira])

Attachments

(1 file)

Bug 1794427 - Origin Controls reflect implicit access through content scripts r=willdurand
48 bytes, text/x-phabricator-request
Details | Review

From https://phabricator.services.mozilla.com/D158826:

In this concrete case though, we have a bug. This extension has a <all_urls> content script, which means it already "has access" to every page, but we don't reflect it because we only check host permissions. This is an MV2-only bug because for MV3 we turn all content script match patterns into optional permissions.

We would have to specifically check all content script match patterns to see if an extension "has access" to the current page, but only for MV2 extensions.

Assignee: nobody → tomica
Severity: -- → S2
Type: task → defect
Priority: -- → P1

For a note.
Maybe you should also check for
"*://*/*"
"file:///*"
Ignore if <all_urls> checks for these.

Pushed by tjovanovic@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/247863b6c995 Origin Controls reflect implicit access through content scripts r=willdurand

https://hg.mozilla.org/mozilla-central/rev/247863b6c995

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox108: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: