browser.runtime.getURL() may return a non-extension URL
Categories
(WebExtensions :: General, defect, P2)
Tracking
(firefox130 fixed)
Tracking | Status | |
---|---|---|
firefox130 | --- | fixed |
People
(Reporter: robwu, Assigned: robwu)
References
Details
(Keywords: dev-doc-complete, Whiteboard: [addons-jira][wecg])
Attachments
(2 files)
Originally reported as "Inconsistency 3" at https://github.com/w3c/webextensions/issues/281
Inconsistency 3: passing a full external URL
Example: runtime.getURL('https://www.example.com');
Chrome prefixes the URL with the extension origin as such:
browser-extension://$extension_uuid/https://www.example.com/
Firefox and Safari just return the full URL:
https://www.example.com/Prefixing the URL with the extension origin seems more true to the definition of the API and can potentially reduce attack surfaces. An exception and edge-case to this is inconsistency #4, see below.
There are a bunch more inconsistencies reported in https://github.com/w3c/webextensions/issues/281.
It may make sense to concatenate instead of just using baseURI.resolve
at https://searchfox.org/mozilla-central/rev/76ccfc801e6b736c844cde3fddeab7a748fc8515/toolkit/components/extensions/child/ext-runtime.js#95
Updated•2 years ago
|
Assignee | ||
Comment 1•2 years ago
|
||
browser.extension.getURL
is deprecated, but it ought to behave identically as runtime.getURL
- https://searchfox.org/mozilla-central/rev/76ccfc801e6b736c844cde3fddeab7a748fc8515/toolkit/components/extensions/child/ext-extension.js#11
Updated•2 years ago
|
Updated•7 months ago
|
Assignee | ||
Comment 3•3 months ago
|
||
This corrects the behavior of runtime.getURL and extension.getURL when
the input looks like an absolute or protocol-relative URL.
Updated•3 months ago
|
Assignee | ||
Comment 4•3 months ago
|
||
Before this patch, runtime.getURL()
did some form of canonicalization
of the URL, which primarily meant that some components were stripped if
the input contains /.
, ./
and ../
. This is not strictly necessary,
because anything that consumes the resulting URL is equally capable of
doing that.
To simplify the implementation, this patch drops that post-processing.
The result matches Chrome's behavior, whose implementation is also
a simple concatenation.
Assignee | ||
Updated•3 months ago
|
Comment 6•3 months ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/39da03a4eec5
https://hg.mozilla.org/mozilla-central/rev/888f6e45052a
Docs ready for review: runtime.getURL fixes #35136
Description
•