Closed Bug 1897759 Opened 6 months ago Closed 5 months ago

Content scripts can run in view-source: with null principal

Categories

(WebExtensions :: General, defect, P1)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(firefox-esr115 unaffected, firefox126 unaffected, firefox127 unaffected, firefox128 fixed)

Status:
RESOLVED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox126 --- unaffected
firefox127 --- unaffected
firefox128 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [addons-jira])

Attachments

(2 files)

Bug 1897759 - Don't run content scripts at view-source
48 bytes, text/x-phabricator-request
Details | Review
Bug 1897759 - Reject devtools.inspectedWindow.eval at view-source
48 bytes, text/x-phabricator-request
Details | Review

In bug 1475831, we enabled extensions to run content scripts on null principals if the extension is allowed to access its precursor.

One unintended side effect is that it also enables extensions to run content scripts in view-source: URLs of documents that have CSP sandbox set without allow-same-origin. We should ignore null principals if the documents they're associated with has the view-source:-scheme. Test case can be found in bug 1896824

The same logical flaw also exists in the devtools.inspectedWindow.eval implementation, at https://searchfox.org/mozilla-central/rev/e65d93ace2a618b58bf1497c5be8918404f6dbbe/devtools/server/actors/addon/webextension-inspected-window.js#113-114
When I run the test case from bug 1865689, it blocks access to view-source:https://example.com/ as expected, but not view-source:https://raw.githubusercontent.com/Robbendebiene/Gesturefy/master/crowdin.yml

Set release status flags based on info from the regressing bug 1475831

status-firefox126: --- → unaffected
status-firefox127: --- → unaffected
status-firefox128: --- → affected
status-firefox-esr115: --- → unaffected

It would be really handy, being able to run userscripts on view-source:? E.g. I have a userscript which highlights all instances of a string in a certain colour, and other strings in other colours ad libitum.

(In reply to swleefers from comment #2)

It would be really handy, being able to run userscripts on view-source:? E.g. I have a userscript which highlights all instances of a string in a certain colour, and other strings in other colours ad libitum.

Please file a new bug (enhancement / feature request) request for that. The current partial support for view-source: was accidental. If there are valid use cases for code execution at view-source, then we could consider that separately.

Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/c86294ddb06e Don't run content scripts at view-source r=rpl https://hg.mozilla.org/integration/autoland/rev/38bda664f3cb Reject devtools.inspectedWindow.eval at view-source r=rpl,devtools-reviewers,nchevobbe https://hg.mozilla.org/integration/autoland/rev/a2e89e6ece0f apply code formatting via Lando

https://hg.mozilla.org/mozilla-central/rev/c86294ddb06e
https://hg.mozilla.org/mozilla-central/rev/38bda664f3cb
https://hg.mozilla.org/mozilla-central/rev/a2e89e6ece0f

Status: NEW → RESOLVED
Closed: 5 months ago
status-firefox128: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: