Open Bug 1905397 Opened 9 days ago Updated 6 days ago

in extension's background script, fetch other extension's icon url causes CORS error

Categories

(WebExtensions :: General, enhancement, P5)

Product:
WebExtensions
Component:
General
Version:
Firefox 128
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: 7sDream, Unassigned)

References

Details

Attachments

(1 file)

Example code demonstrating this error, along with an error log screenshot.
556.77 KB, application/x-gzip
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

  1. Create a minimal web extension with "management" permission
  2. Add a background script, use browser.management.getAll() API to fetch all addon info
  3. Get those addons' icon by fetch the addons[].icons[].url, or load them in a (out of dom) <img> element

The example project is uploaded as a attachment, with a log screenshot.

Actual results:

Both fetch and img element raise error, seems CORS related.

Expected results:

The icon url returned by getAll API should be visitable in other extensions' origin.

For now, if web_accessible_resources field of target extension's manifest file includes their icon, the fetch/img can work, which is reasonable. But due to the icon url is parts of public API, I think it may shouldn't limited by CORS by default.

FYI: Chrome resolve this by using a special origin in returned icon URL, for example: chrome://extension-icon/dnhpnfgdlenaccegplpojghhmaamnnfp/128/0

The upload code has a <all_urls> host permission in manifest, this is not required.
But

Component: Untriaged → General
Product: Firefox → WebExtensions

Sorry, I accidentally sent an unfinished paragraph while trying to change the category.

The upload code has a <all_urls> host permission in manifest, this is not required.
But it demonstrates that the issue still persists even if we have requested permissions for all URLs.

Would be nice if we expose the icons, indeed. Them not being available without web_accessible_resources is currently working as intended.

Note: there is another bug that prevents icons of disabled extensions from being displayed, at bug 1385562.

For visibility, I'm also linking bug 1315616. This is about favicons of websites, in theory we could also consider implementing this feature as a kind of favicon for extensions.

Severity: -- → N/A
Priority: -- → P5
See Also: → 1385562, 1315616
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: