in extension's background script, fetch other extension's icon url causes CORS error
Categories
(WebExtensions :: General, enhancement, P5)
Tracking
(Not tracked)
People
(Reporter: 7sDream, Unassigned)
References
Details
Attachments
(1 file)
556.77 KB,
application/x-gzip
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Steps to reproduce:
- Create a minimal web extension with "management" permission
- Add a background script, use browser.management.getAll() API to fetch all addon info
- Get those addons' icon by fetch the addons[].icons[].url, or load them in a (out of dom) <img> element
The example project is uploaded as a attachment, with a log screenshot.
Actual results:
Both fetch and img element raise error, seems CORS related.
Expected results:
The icon url returned by getAll API should be visitable in other extensions' origin.
For now, if web_accessible_resources field of target extension's manifest file includes their icon, the fetch/img can work, which is reasonable. But due to the icon url is parts of public API, I think it may shouldn't limited by CORS by default.
FYI: Chrome resolve this by using a special origin in returned icon URL, for example: chrome://extension-icon/dnhpnfgdlenaccegplpojghhmaamnnfp/128/0
Reporter | ||
Comment 1•9 days ago
|
||
The upload code has a <all_urls> host permission in manifest, this is not required.
But
Reporter | ||
Comment 2•9 days ago
|
||
Sorry, I accidentally sent an unfinished paragraph while trying to change the category.
The upload code has a <all_urls> host permission in manifest, this is not required.
But it demonstrates that the issue still persists even if we have requested permissions for all URLs.
Comment 3•6 days ago
|
||
Would be nice if we expose the icons, indeed. Them not being available without web_accessible_resources
is currently working as intended.
Note: there is another bug that prevents icons of disabled extensions from being displayed, at bug 1385562.
For visibility, I'm also linking bug 1315616. This is about favicons of websites, in theory we could also consider implementing this feature as a kind of favicon for extensions.
Updated•6 days ago
|
Description
•