Closed Bug 1914803 Opened 1 year ago Closed 1 year ago

Unable to load `resource:///` favicons in `about:home`/`about:newtab` when `browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar` is false

Categories

(Firefox :: Search, defect)

Product:
Firefox
Component:
Search
Version:
Firefox 129
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: aoia7rz7l, Unassigned)

References

(Regression)

Details

(Keywords: regression)

I don't really remember why I did this in the first place, but I think it's a combination of the default DDG search engine not sending requests via POST and the OpenSearch DDG favicon appearing blurry under certain circumstances at one point. Anyway, this was tested on 129.0 and 128.1.0esr.

Prerequisite:

browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar is set to false.

STR:

  1. Visit https://html.duckduckgo.com/html/ and add its OpenSearch search engine.
  2. Directly modify the OpenSearch search engine's _iconURL value in search.json.mozlz4 using mozlz4-edit.
  3. In 128 or before, change the value of _iconURL to either moz-extension://[webext-uuid-for-ddg@search.mozilla.org]/favicon.ico or resource://search-extensions/ddg/favicon.ico. The value of [webext-uuid-for-ddg@search.mozilla.org] can be obtained by checking the value of extensions.webextensions.uuids in each profile.
  4. In 129+, you will need to change the value of _iconURL to resource:///defaults/settings/main/search-config-icons/a06dc3fd-4bdb-41f3-2ebc-4cbed06a9bd3 because the favicons were removed in bug 1895873.
  5. Save the search.json.mozlz4 somewhere else without overwriting it, and close Firefox.
  6. Replace the old search.json.mozlz4 with the new one.
    (6a. In ESR builds, you can also set the value of IconURL for new search engines using the SearchEngines policy.)
  7. Start Firefox.
  8. Visit about:home/about:newtab and type anything into the search box.

Expected Behavior:

The search widget? should pop out and you can see the customized DDG OpenSearch's favicon.

Actual Behavior:

The customized DDG OpenSearch's favicon failed to load when it's pointing to a resource:/// link. Browser console contains errors such as

Security Error: Content at about:home may not load or link to resource:///defaults/settings/main/search-config-icons/a06dc3fd-4bdb-41f3-2ebc-4cbed06a9bd3.

or

Security Error: Content at about:newtab may not load or link to resource:///defaults/settings/main/search-config-icons/a06dc3fd-4bdb-41f3-2ebc-4cbed06a9bd3.

Favicons pointing to resource:/// links are correctly loaded in both the urlbar and the search bar.

After some investigation, I believe the fix can be as simple as adding something like

% resource search-config-icons resource://app/defaults/settings/main/search-config-icons/ contentaccessible=yes

to somewhere, although I am not sure exactly where. Flipping security.all_resource_uri_content_accessible and restarting Firefox also works as a workaround, but again I am not sure if I actually wanted to do that given the security implications.

Regressed by bug 1895873 (in a way).

Keywords: regression
Regressed by: 1895873

The Bugbug bot thinks this bug should belong to the 'Firefox::New Tab Page' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → New Tab Page

:mbeier, since you are the author of the regressor, bug 1895873, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(mbeier)
Component: New Tab Page → Search

I'm curious as to why you want to be able to use the icon from within Firefox?

The icon itself does not update frequently - only when DuckDuckGo changes their branding. If you really don't like the icon they have, you can use a data URI instead of a resource URI - there are various converters around which will take an image and give you the appropriate URL.

Overall, this is probably going to be a won't fix - we want to restrict access to resources more than we are doing, and there's no real need for us to expose this to newtab.

Flags: needinfo?(mbeier) → needinfo?(aoia7rz7l)

As mentioned previously, we don't want to allow access to resources on the new tab page. You can use a data URI to insert into the search.json.mozlz4 instead, and that will work fine.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(aoia7rz7l)
Resolution: --- → WONTFIX

Yeah I think that's fair. FWIW there is no need to use any external converter, Firefox already allow users to copy images as data URLs in both the Inspector and the Network Monitor.

You need to log in before you can comment on or make changes to this bug.