Open Bug 1878940 Opened 1 year ago Updated 1 year ago

Can't use `import "chrome://"` from moz-extension mjs files (CORS request not http, Same Origin Policy disallows reading the remote resource at file:/// ...)

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

People

(Reporter: Gijs, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

STR:

  1. run a moz-extension HTML page in a popup/sidebar/whatever, and include an mjs file from your extension in there
  2. try to use common toolkit components using the builtin lit framework, e.g.
import { html } from "chrome://global/content/vendor/lit.all.mjs";
import { MozLitElement } from "chrome://global/content/lit-utils.mjs";

from that file

ER: it works

AR: it doesn't work, with a CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///C:/mozilla-source/mozilla-unified/obj-unoptimized/dist/bin/chrome/toolkit/content/global/lit-utils.mjs. (Reason: CORS request not http).

Module source URI is not allowed in this document: "chrome://global/content/lit-utils.mjs".

These resources are marked contentaccessible=yes, so I think they would normally be accessible by web content and extensions alike.

In terms of fixing this bug, I would like to make it easier for webextensions to use these modules, but not necessarily do so for web content (cf. bug 1534581 and bug 443400 etc.).

There appears to already be a carve-out for moz-extension modules here: https://searchfox.org/mozilla-central/rev/896042a1a71066254ceb5291f016ca3dbca21cb7/netwerk/protocol/http/nsCORSListenerProxy.cpp#578-592

I would imagine that we'd need a similar one for chrome URLs, when accessed by moz-extension pages/scripts.

Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]
Whiteboard: [necko-triaged] → [necko-triaged][necko-priority-new]
Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-priority-next]

@gijs: what other preconditions does it need for chrome URLs? You said "when accessed by moz-extension pages/scripts", for example

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to Randell Jesup [:jesup] (needinfo me) from comment #2)

@gijs: what other preconditions does it need for chrome URLs? You said "when accessed by moz-extension pages/scripts", for example

I think that (ie the requestor is a moz-extension page/script) + the content-accessible-ness bit, but I would expect that to be enforced already (although it'd need checking). But maybe I'm misunderstanding your question?

Flags: needinfo?(gijskruitbosch+bugs) → needinfo?(rjesup)
Flags: needinfo?(rjesup)
Blocks: necko-cors

I'm not certain I'd want to see this opened up to all addons, would need to think that through. It wouldn't bother me to much open that up to mozilla addons, but maybe limiting it to builtin addons. Not sure.

This isn't a high priority for the necko team, but if this is important to you, please make your case as to when it is needed.
We would also gladly take a patch if you are willing to write one :)

Whiteboard: [necko-triaged][necko-priority-next] → [necko-triaged]
You need to log in before you can comment on or make changes to this bug.