Closed Bug 1795082 Opened 2 years ago Closed 3 months ago

browser.runtime.getURL() may return a non-extension URL

Categories

(WebExtensions :: General, defect, P2)

defect

Tracking

(firefox130 fixed)

RESOLVED FIXED
130 Branch
Tracking Status
firefox130 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Keywords: dev-doc-complete, Whiteboard: [addons-jira][wecg])

Attachments

(2 files)

Originally reported as "Inconsistency 3" at https://github.com/w3c/webextensions/issues/281

Inconsistency 3: passing a full external URL

Example: runtime.getURL('https://www.example.com');
Chrome prefixes the URL with the extension origin as such:
browser-extension://$extension_uuid/https://www.example.com/
Firefox and Safari just return the full URL:
https://www.example.com/

Prefixing the URL with the extension origin seems more true to the definition of the API and can potentially reduce attack surfaces. An exception and edge-case to this is inconsistency #4, see below.

There are a bunch more inconsistencies reported in https://github.com/w3c/webextensions/issues/281.

It may make sense to concatenate instead of just using baseURI.resolve at https://searchfox.org/mozilla-central/rev/76ccfc801e6b736c844cde3fddeab7a748fc8515/toolkit/components/extensions/child/ext-runtime.js#95

browser.extension.getURL is deprecated, but it ought to behave identically as runtime.getURL - https://searchfox.org/mozilla-central/rev/76ccfc801e6b736c844cde3fddeab7a748fc8515/toolkit/components/extensions/child/ext-extension.js#11

Severity: -- → S3
Priority: -- → P2
See Also: → 1864187
Flags: needinfo?(rob)

This corrects the behavior of runtime.getURL and extension.getURL when
the input looks like an absolute or protocol-relative URL.

Assignee: nobody → rob
Status: NEW → ASSIGNED

Before this patch, runtime.getURL() did some form of canonicalization
of the URL, which primarily meant that some components were stripped if
the input contains /., ./ and ../. This is not strictly necessary,
because anything that consumes the resulting URL is equally capable of
doing that.

To simplify the implementation, this patch drops that post-processing.
The result matches Chrome's behavior, whose implementation is also
a simple concatenation.

Keywords: dev-doc-needed
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/39da03a4eec5 Part 1/2: runtime.getURL should always return moz-extension:-URL r=zombie https://hg.mozilla.org/integration/autoland/rev/888f6e45052a Part 2/2: Drop post-processing from getURL() r=zombie
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Docs ready for review: runtime.getURL fixes #35136

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: