Open Bug 1914360 Opened 1 year ago Updated 5 months ago

Calling `a.click()` on a "data:" URL link created with `document.createElement` in a WebExtension crashes the browser

Categories

(Firefox for Android :: WebExtensions, defect, P3)

Product:
Firefox for Android
Component:
WebExtensions
Version:
Firefox 129
Platform:
All
Android
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: oxij, Unassigned, NeedInfo)

References

Details

(Whiteboard: [fxdroid][group2])

Steps to reproduce:

I'm porting my https://addons.mozilla.org/en-US/firefox/addon/pwebarc/ to Firefox on Android. So, I installed Fennec from F-Droid, enabled USB debugging, pushed the extension to my phone via https://github.com/mozilla/web-ext and started debugging the things that do not work there.

The main problem, however, is that it is trivial to crash the browser by trying to do saveAs from background JavaScript.

I minimized this issue to the following: make a trivial extension with background.js with

// based on https://stackoverflow.com/questions/13405129/create-and-save-a-file-with-javascript
function saveAs(chunks, mime, fileName) {
    var file = new Blob(chunks, { type: mime ? mime : "application/octet-stream" });
    var fileURL = URL.createObjectURL(file);
    var el = document.createElement("a");
    el.href = fileURL;
    if (fileName)
        el.download = fileName;
    // this won't help
    // document.body.appendChild(el);
    el.dispatchEvent(new MouseEvent("click"));
    // this will also crash
    // el.click();
    setTimeout(() => {
        //document.body.removeChild(el);
        URL.revokeObjectURL(fileURL);
    }, 60000);
}
setTimeout(() => {
    saveAs([new Uint8Array([0, 1, 2, 3])], "application/octet-stream", `pWebArc-export-test.bin`);
}, 1000);

run

node node_modules/web-ext/bin/web-ext.js run -t firefox-android --android-device=XXXXXXXXXX

wait for it to start, wait another second.

Actual results:

It crashed.

Expected results:

I shouldn't have.

The severity field is not set for this bug.
:zmckenney, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(zmckenney)
Flags: needinfo?(zmckenney) → needinfo?(wdurand)

Since this was reported, pWebArc became Hoardy-Web https://addons.mozilla.org/en-US/firefox/addon/hoardy-web/ and with its v1.21.1 I made it possible to reproduce this crash rather easily:

  • Install Hoardy-Web on Firefox on Android.
  • Browse some websites so that it would capture some data.
  • Open the popup, click the "RT" tab, enable "Allow unsafe config values".
  • Click "P&R" tab, under "Re-archival from local storage" enable "Export dumps via saveAs" (which enables the use of the crash-causing code reported above).
  • (optionally, to make it crash much faster, but it will crash without this too) Disable "GZip outputs" and set all timeouts to 0s under "Export via saveAs" there.
  • Give it a couple seconds to save the config so that the next step could be retried easily.
  • Press "Re-archive all" button under "Quick re-archival".

The browser will crash immediately if the optional step was not skipped and after 3+ seconds if it was.

Severity: -- → S2
Priority: -- → P3
Whiteboard: [fxdroid][group2]
You need to log in before you can comment on or make changes to this bug.