browser.notifications.create() no longer displays icons when using data: URLs (base64-encoded images)
Categories
(WebExtensions :: General, defect)
Tracking
(firefox-esr115 unaffected, firefox-esr128 unaffected, firefox-esr140 verified, firefox139 wontfix, firefox140 wontfix, firefox141 verified)
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | verified |
| firefox139 | --- | wontfix |
| firefox140 | --- | wontfix |
| firefox141 | --- | verified |
People
(Reporter: firefoxbugs, Assigned: robwu)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [addons-jira])
Attachments
(5 files, 1 obsolete file)
2025-06-05_10h06_35.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Steps to reproduce:
Run in webextension
browser.notifications.create({
type: "basic",
iconUrl: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAACTklEQVRYR2NkGGDASIn94Q2HfqxssOOgxAyKHBDRcOjfigY7plEHjIbAaAiMhsDwDoG0hs1csxp8v2HzJb6SEJ8+ZLPwFsWhhas4mfklLjEyMKcvb7Deh+4IXA6IbDjq9J/x70xJXha9/iKr7/iiiGBdENlyxObf7z+rmRmZY5c12O5BNgybA6IaDrv8/f93MRMrS+jyGpsjhNIHQQeADIhoOWj1//f/tQyMrPErG6x3wQxFd0B4w1E3hv+/FzKyMgavqLE/RshykDxRDgApDG/YbcHwn3U9EyNz4vIG2x1ghyHVhpENhz3+/f87n4Hxf+DKBscTxFgOd4ClpeU/fBrY2Ng2BweXh535LqD/89uvjcyMLMnLGmy2wRwQ1XDE6+//P3OZWdn8Lfg+XFy7tnvVr18/fAk54vjx40zgEAA54NChQ//xafj9+/fm+/c5w7q3H9P//vn3JhYWttS/f/9sYmZm8fv3//csdlYW/1I/gYuKiiqrWFmZCFpuZ2fHSJIDQI779+/ftkePHoV0bnyr8/Xbz83//zFKMDL9f8EGtLAmROKKnJzcGiYmJi9CPgfJk+UAqCN2AB0R1LHptdbXz79XsLGzRtSGiF4DWr4OaLkHuuXVNbUo6ay1pRkU3YxkOwCccBgZdz1+zBx4+jTDb1PTB6yysrLr////74bN5zRxANQRe5iZmSP//v27HGi5CzHBjqyGohCAGQS0+DMwNHhJtZyiNECOZdj0UCUEKHHMqAMGXwhQEp/k6oUXxeQaQA19RFfH1LAMmxkAXXBYMKPceG4AAAAASUVORK5CYII=",
title: "Test Notification",
message: "This notification should have an icon."
});
Load the extension temporarily (about:debugging → "This Firefox").
Trigger the background script.
Actual results:
The notification appears without any icon — the iconUrl is silently ignored.
No errors are thrown, but the image is never rendered.
Expected results:
The notification appears with the icon correctly rendered from the base64 data: URL.
This behavior previously worked with Firefox 138 as expected and is still documented as valid.
|
||
Comment 2•4 months ago
|
||
Hello,
I could not reproduce the issue on the latest Nightly (141.0a1/20250604183413), Beta (140.0b5/20250604091121) or Release (139.0.1/20250529122813) under Windows 11 and Ubuntu 24.04 LTS.
In Comment 0, you mentioned to load “the extension temporarily” but there is no extension attached. So I installed an extension which I know sends notifications from the OS - https://addons.mozilla.org/en-US/firefox/addon/s3download-statusbar/.
With the extension installed, I ran the code in the extension console and the notification that popped up had an icon. See attached screenshot.
I’ve also installed the same extension temporarily via about:debugging and ran the code in the extension console again. Same results as above i.e. the notification that pops up has an icon.
Did you use a specific extension when uncovering this? It would maybe help to link to it, or attach it here so I can test it out as well.
|
|
||
Comment 3•4 months ago
|
||
Sorry, forgot to mention that it's only with alerts.useSystemBackend = false
With alerts.useSystemBackend = true icon shows up.
|
|
||
Comment 6•4 months ago
|
||
Thank you for the additional info !
Rechecked with alerts.useSystemBackend = false and indeed, the notification does not have an icon in this case.
|
Assignee | |
Comment 7•4 months ago
|
||
This is because CSP for alerts.xhtml is too restrictive:
img-src chrome: resource: https:
The documentation states:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/notifications/NotificationOptions#iconurl
The URL can be: a data URL, a blob URL, a http or https URL, or the relative URL of a file within the extension.
In practice the validation is nearly non-existent; The implementation accepts any string input, and if it is a relative URL, it converts it to a moz-extension:-URL. Otherwise (if the URL is absolute), it is accepted as is.
In any case, we should expand the img-src CSP directive in alerts.xhtml to also include http: data: blob:.
|
||
Updated•4 months ago
|
|
||
Comment 8•4 months ago
|
||
:simonf, since you are the author of the regressor, bug 1958802, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 9•4 months ago
|
||
I'll fix this (trivial) and add a unit test (bit more work).
|
||
Updated•4 months ago
|
|
|
Assignee | |
Comment 10•4 months ago
|
||
|
||
Comment 11•4 months ago
|
||
|
||
Updated•4 months ago
|
|
||
Comment 12•4 months ago
|
||
|
||
Comment 13•4 months ago
|
||
| bugherder | ||
|
|
||
Comment 14•4 months ago
|
||
The patch landed in nightly and beta is affected.
:robwu, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox140towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 15•4 months ago
|
||
It's RC week for Beta, so I'm not going to uplift this bug to Beta.
It is a regression affecting users who have turned on a non-default feature. The impact is the icon not displaying in notifications.
I'll let it ride the train, and uplift this to ESR140 aligned with the 141 release, so that the regression does not persist for a long while on ESR140.
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Comment 16•4 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D253561
|
|
||
Comment 17•4 months ago
|
||
firefox-esr140 Uplift Approval Request
- User impact if declined: Custom icons not displaying in desktop notifications created by extensions, when alerts.useSystemBackend = false (regression in version 139, fix landed in 141)
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: QA not needed; fully covered by automated tests.
- Risk associated with taking this patch: Low
- Explanation of risk level: Relaxes the overly strict CSP in desktop notification windows that was added in 139. This fixes an issue without causing new ones, and is verified by unit tests. This only changes the img-src CSP directive, the more security-relevant script-src directive is not touched
- String changes made/needed: None
- Is Android affected?: no
|
||
Updated•4 months ago
|
|
|
||
Updated•4 months ago
|
|
|
||
Comment 18•4 months ago
|
||
Verified as Fixed. Tested on the latest Nightly (141.0a1/20250616214059) under Windows 11 and Ubuntu 24.04 LTS.
With alerts.useSystemBackend = false and using the STR from Comment 0 + the extension from Comment 2, the notification that pops up now has an icon. See attached screenshot.
|
|
||
Comment 19•4 months ago
|
||
|
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
|
||
Comment 20•4 months ago
|
||
| uplift | ||
|
|
||
Comment 21•4 months ago
|
||
Verified as Fixed. Tested on the latest ESR (140.1.0esr/20250702122229 from https://treeherder.mozilla.org/jobs?repo=mozilla-esr140&revision=d18e8127f8f4d4fc4d9e4ee6f1a1a66965201154 – Build linked in Comment 20).
With alerts.useSystemBackend = false and using the STR from Comment 0 + the extension from Comment 2, the notification that pops up has an icon, confirming the fix.
Description
•