1917842 - Blob isolation causes downloads to fail from extension pages embedded in partitioned iframes

Status: NEW

(WebExtensions :: General, defect, P3)

Description

[Andrew]

Attachment: firefox-libre-faststream_video_player-1.3.26.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Steps to reproduce:

Firefox Developer Edition 131.0 Beta 4 (20240909091655)

1. Manually install faststream video player extension V1.3.26 from the provided file
2. Go to https://faststream.online/bugs/firefox-blob-isolation
3. Click extension icon, the video should be replaced with a custom player.
4. Click the download icon to save the video to an MP4

Actual results:

File save fails silently

Expected results:

File save should occur

Comment 1

[Andrew]

Attachment: firefox-libre-faststream_video_player-1.3.27-bugreport.zip

Comment 2

[Andrew]

Comment on attachment 9423873 [details]
firefox-libre-faststream_video_player-1.3.27-bugreport.zip

Please use this file instead for testing

Comment 3

[Andrew]

Comment on attachment 9423873 [details]
firefox-libre-faststream_video_player-1.3.27-bugreport.zip

Ignore this file

Comment 4

[Andrew]

Related FastStream issue on Github: https://github.com/Andrews54757/FastStream/issues/235

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Firefox::File Handling' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 6

[Andrew]

Test page without sandbox set, to demonstrate that it works normally there: https://faststream.online/bugs/firefox-blob-isolation-working

Comment 7

[Andrew]

My apologies, it appears like my reproduction methods were incorrect. After some investigation, I discovered that the problem stems from partitioned iframes, not sandboxes. Here are updated instructions for reproducing the issue:

1. Download firefox-faststream-partition-bug.zip and install as temporary extension in Firefox Developer Edition
2. Go to https://faststream.online/bugs/firefox-blob-isolation-test
3. Enable the extension by clicking on the icon
4. The player should be replaced. Click the download/save icon in the bottom right corner.
5. The download will fail with the error Cannot access blob URL “blob:moz-extension://...” with a different partition key.

Comment 8

[Andrew]

Attachment: firefox-faststream-partition-bug.zip

Extension file to use to test

Comment 9

[:Gijs (he/him)]

Not sure whether/how add-on APIs are supposed to respond to the partitioning here, but over to webextensions for initial investigation, as this is all before any downloads/file handling code gets its hands on anything.

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

:abhishekmadan, since you are the author of the regressor, bug 1843155, could you take a look?

For more information, please visit BugBot documentation.

Comment 11

[Rob Wu [:robwu]]

(In reply to :Gijs (he/him) from comment #9)

Not sure whether/how add-on APIs are supposed to respond to the partitioning here

That is yet to be defined. In bug 1698863 I collected some issues around partitioning in the downloads.download API. We probably need some new properties to enable extensions to describe the partition to use. I'll also discuss this with other browser vendors at TPAC 2024 (https://github.com/w3c/webextensions/issues/659#issuecomment-2354057779).

An alternative solution would be for the extension implementation to query for the partition containing the blob:-URL and then issue a download. Since blob:-URLs contain GUIDs, the odds of a conflicting blob:-URL should be negligible. If this is feasibly implementable, then I'd favor such an approach instead of waiting for additions to extension APIs.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1843155

Comment 13

[Abhishek Madan[:abhishekmadan]]

Hi Tim, thought I was would forward this to you. If there is something that I need to contribute for this, I can do that too

Comment 14

[Tim Huang[:timhuang]]

Thanks. Let's keep an eye on the TPAC discussion to decide how we proceed.

Comment 15

[Rob Wu [:robwu]]

(needinfo'ing myself to update this bug when there is a reply)

Tim - is it feasible to look up from any partition as I described in comment 11?

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1843155

Comment 17

[Rob Wu [:robwu]]

We didn't get to discussing this topic at TPAC.

Tim: question, how feasible is the fix I sketched in comment 11?

(In reply to Rob Wu [:robwu] from comment #11)

An alternative solution would be for the extension implementation to query for the partition containing the blob:-URL and then issue a download. Since blob:-URLs contain GUIDs, the odds of a conflicting blob:-URL should be negligible. If this is feasibly implementable, then I'd favor such an approach instead of waiting for additions to extension APIs.

Comment 18

[Tim Huang[:timhuang]]

Sorry for the late response.

I think this is a feasible implementation. The document's partitionKey can be queried through the cookieJarSettings. And the cookieJarSettings is avaiable through the chrome-only interface in the document.webidl.