Closed Bug 1868675 Opened 1 year ago Closed 1 year ago

Creating new ArrayBufferView from existing ArrayBuffer in web extension content script leads to Error: Permission denied to access property "constructor" on any method call for new object

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 120
Type:
defect

Tracking

(firefox120 affected, firefox121 affected, firefox122 affected)

Status:
RESOLVED DUPLICATE of bug 1681809
Tracking Flags:
Tracking Status
firefox120 --- affected
firefox121 --- affected
firefox122 --- affected

People

(Reporter: ethernidee, Unassigned)

Details

Attachments

(3 files)

2023-12-08_10h50_59.png
33.50 KB, image/png
Details
FirefoxBug.zip
762 bytes, application/x-zip-compressed
Details
2023-12-11_08h58_50.png
95.78 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0

Steps to reproduce:

Run the following script from web extension content script context:

const encodedText = new TextEncoder().encode('some text'); // ok
const buffer = new Uint8Array(encodedText.buffer); //  ok, but seems like some security flags for new object are missing
buffer.slice(); // Error: Permission denied to access property "constructor"
buffer.subarray(0, 2); // Error: Permission denied to access property "constructor"

Actual results:

The following internal Error is raised: Error: Permission denied to access property "constructor" on most of ArrayBufferView methods like subarray or slice.

Expected results:

No error should be raised, because new ArrayBufferView (Uint8Array) is created from the same context, as the original ArrayBufferView.

Moreover, buffer.constructor === Uint8Array is false.

The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Product: Firefox → WebExtensions

This issue from JsZip library seems to be related:
https://github.com/Stuk/jszip/issues/759

It seems, like new TextEncoder().encode('some text') produces Uint8Array with invalid security context.

The following example produces no errors:

const encodedText = new TextEncoder().encode('some text'); // ok
const buffer = new Uint8Array(encodedText.buffer); //  ok, but seems like some security flags for new object are missing
const bufferCopy = new Uint8Array(encodedText.length);
bufferCopy.set(buffer);
bufferCopy.slice(); // No error
bufferCopy.subarray(0, 2); // No error

The minimal working example to test the bug in content script context is:

const encodedText = new TextEncoder().encode('some text'); // ok
encodedText.slice(); // Error: Permission denied to access property "constructor"
encodedText.subarray(0, 2); // Error: Permission denied to access property "constructor"

Hello,

I could not reproduce the issue on the latest Nightly (122.0a1/20231207165826) or Release (120.0.1/20231129155202) under Windows 10 x64.

I installed Dark Reader and opened the add-on console via the “Inspect” button from about:debugging. Then I ran the script from Comment 0 and checked the snippet from Comment 1, as well. There were no errors logged from running the script from Comment 0 and the snippet from Comment 1 returns true.

See the attached screenshot for more details.

Now, however, I’m not sure I correctly followed the STR by running the scripts in the add-on console or that I chose the correct add-on to run them from. Please do advise if I made a mistake.

Flags: needinfo?(ethernidee)
Attached file FirefoxBug.zip

Simpliest testing extension with bug-proof code. Just load unpacked extension, enable access to all sites or run it manually and see Error: Permission denied to access property "constructor" error in console log.

Flags: needinfo?(ethernidee)

Thanks you for reply. I've attached testing extension.

content.js

"use strict";
(async () => {
  const encodedText = new TextEncoder().encode('some text'); // ok
  const buffer      = new Uint8Array(encodedText.buffer);    // ok, but seems like some security flags for new object are missing
  buffer.slice();        // Error: Permission denied to access property "constructor"
  buffer.subarray(0, 2); // Error: Permission denied to access property "constructor"

  console.debug('OK'); // Never executed
})();

manifest:

{
  "name": "Firefox Bug",
  "description": "Firefox Content Script Bug #1868675",
  "version": "1.0.0",
  "manifest_version": 3,

  "permissions": [
    "activeTab",
    "tabs",
    "storage",
    "unlimitedStorage"
  ],

  "host_permissions": ["<all_urls>"],

  "content_scripts": [{
     "matches": ["<all_urls>"],
     "js":      ["./content.js"],
     "run_at": "document_end"
  }]
}

Hello Alex and thank you for the additional info and extension !

I reproduced the issue on the latest Nightly (122.0a1/20231210093611), Beta (121.0b9/20231208091859) and Release (120.0.1/20231129155202) under Windows 10 x64 and Ubuntu 22.04 LTS.

I loaded the attached extension via about:debugging, enabled access for all sites for the extension from add-ons manager and accessed a random website (https://www.wikipedia.org/). I then opened the web console (Ctrl+Shift+K) and the mentioned error (Error: Permission denied to access property "constructor") was logged to console.

For more details see the attached screenshot.

Status: UNCONFIRMED → NEW
status-firefox120: --- → affected
status-firefox121: --- → affected
status-firefox122: --- → affected
Ever confirmed: true
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1681809
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: