Open Bug 1836309 Opened 2 years ago Updated 2 years ago

Allow extensions which can access all sites to run without user interaction

Categories

(WebExtensions :: General, enhancement, P3)

Product:
WebExtensions
Component:
General
Version:
Firefox 113
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: psiinon, Unassigned, NeedInfo)

Details

(Whiteboard: [design-decision-needed])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0

Steps to reproduce:

I have created a new Firefox extension: https://addons.mozilla.org/en-GB/firefox/addon/owasp-zap-browser-extension/ - which uses Manifest v3.
It is a security extension to be used with OWASP ZAP.
ZAP can be used to test the security of any website and so this extension needs full access to all data on all websites.
We plan to bundle this extension in a ZAP add-on. ZAP will then add the extension to a clean Firefox profile when it launches Firefox (using selenium).
We do not expect many users to install this add-on, but some security folk may choose to install it manually, presumably in a non default profile.
While ZAP is used manually it is more often used in automation.
We want to be able to use this extension when we launch Firefox (headless) in an automated environment.
This extension is part of our plans to help ZAP test the security of modern web apps more effectively.
As ZAP is the worlds most popular web scanner we this could help make the internet ever so slightly more secure :)

Actual results:

When Firefox is launched from ZAP we inject the extension but it is initially disabled.
The user has to select the extension and enable it.
This is a pain when using ZAP manually as Firefox is always launched with a new profile, so this must be done every time Firefox is launched.
However its a complete blocker for automation - theres no user to click anything, or UI to interact with!

Expected results:

I understand why such extensions are not enabled by default.
But we would really like this to be possible, one way or another.
We can set any non standard prefs required.
It is worth noting that the equivalent Chrome extension does work when we inject it without user interaction.
If there is a way to make this work right now then great, but I checked on https://chat.mozilla.org/#/room/#addons:mozilla.org and it appears it is not :/

The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Product: Firefox → WebExtensions
Status: UNCONFIRMED → NEW
Component: Untriaged → General
Ever confirmed: true
Whiteboard: [design-decision-needed]
Severity: -- → N/A
Priority: -- → P3

Any thoughts :freddyb / :dveditz ?
I suspect a number of other security tools would use this option if it was workable...

Flags: needinfo?(fbraun)
Flags: needinfo?(dveditz)

Looks like you should be using an "automation" setup of Firefox in contrast to the user's Firefox installation? Maybe something like geckodriver or https://support.mozilla.org/en-US/kb/deploying-firefox-with-extensions could help?

Flags: needinfo?(fbraun)

We already use Selenium and WebDriver / geckodriver, so this means we start a new profile everytime we launch Firefox.
We do not make any changes to the user's existing Firefox profiles
I was hoping this would allow us to do things that are otherwise frowned upon :)
We really dont want to manage a complete new deployment of Firefox for our users.
And I dont think our users would want us to do that either :/

Potentially related bug 1561841

Unfortunately what you are quite reasonably wanting to do for the legit ZAP tool is exactly what malware does to inject adware/spyware extensions into Firefox ("side-loading"). It's been a huge problem for users who have no clue what's going on. Malware already figured out the "enable the overrides in prefs.js" trick so we've largely removed those kinds of prefs from Release Firefox. Could you have your users use Nightly (maybe Beta?) where prefs might be available?

If you are creating a fresh testing profile anyway, could you replicate one that has the extension enabled already? Clearly the fact that the user enabled it has to be stored somewhere. Looks like extensions.json might do it. In a fresh profile maybe you could just splat down a pre-made one with the right values.

Flags: needinfo?(dveditz)

Thanks :dveditz - I had a feeling that was going to be the reason.
For most manual ZAP users Nightly / Beta wont be practical, but I guess we could install one of those in our docker images for automation.
I'll also have a play with the profile configs and see what can be achieved..
It would still be nice to have an "officially supported/documented" way of doing this, even if it requires firestore access...

It looks like its stored in extension-preferences.json - the relevant part seems to be:
{"permissions":[],"origins":["*://localhost/*","*://www.google.com/*"]}

Unfortunately it looks like each domain much be specified separately - I have not been able to work out any wildcards :(

Who might know about any wildcard support or other ways of enabling it for all domains?

Update: {"permissions":["<all_urls>"],"origins":["<all_urls>","*://*/*"]} seems to do the trick!
It would be good to know how stable this file's format is, i.e. are we likely to neeed to change this on every FX release?

Modification of that file is not recommended nor supported.

:robwu understood.
So whats the alternative?

As I mentioned before, ZAP is the worlds most popular web security scanner (being OSS and free helps;)
It is run over 3M times every month, which is a lot for a web security tool.
We know it is used far more in automation than manually.

We also know that our users really want us to handle modern web apps bettter.
As you know modern web apps do much more in the browser.
We need privileged access to the browser to see what these apps are doing.
ZAP is a consensual Manipulator in the Middle tool. We can inject anything anywhere.
We've tried injecting content into the target apps but that has proved difficult to maintain.
So we now have a Firefox and Chrome add-on which gives us this privileged presence in the browser.

Except that we cannot use this add-on in automation in Firefox, which makes it nearly useless to us.
While we support both Firefox and Chrome we always default to Firefox.
We only include one browser in our docker images due to space reasons, thats Firefox.
I've always been a fan of Firefox, well before I worked for Mozilla for 8 years. I really want to keep defaulting to Firefox :)

Right now our choices are:

  1. Use an undocumented and unsupported hack to get our add-on to run in Firefox in automation
  2. Switch to use Chrome

What do you suggest we do?
ZAP will not be the only web security tool with this problem.
I'm very happy to work with anyone to find a secure solution to this...

Flags: needinfo?(rob)

If you use geckodriver, could you not use those APIs to ensure your script is loaded on every page?
I understand it might be a bit tricky to have two entry points into your scripts though..

:freddy thats not practical for us - we're using a 3rd party project (Crawljax) to drive Selenium which then drives Firefox.
FYI hacking the files in a new profile does actually work, at least for now.
Its not something we want to do, but we also dont really want to drop support for Firefox, so maybe the lesser of too evils?
Any better suggestions gratefully received.

You need to log in before you can comment on or make changes to this bug.