Open Bug 1975178 Opened 2 months ago Updated 10 days ago

exportExtension may write non-installed extension ID to StartupCache.permissions via ExtensionPermissions.get call

Categories

(GeckoView :: Extensions, defect)

Product:
GeckoView
Component:
Extensions
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned, NeedInfo)

References

Details

While looking into bug 1974419, I realized that the extension install prompt logic has a side effect of writing the extension ID to disk. This happens because the Allow extension to run in private windows checkbox looks up the access in the permissions database, and the result is cached in StartupCache.permissions by ExtensionPermissions.get().

I fixed this issue on desktop: https://phabricator.services.mozilla.com/D255531#inline-1403577

... but did not fix it in GeckoView because the exportExtension function that has the same issue (it calls ExtensionPermissions.get) has many callers, many of which are not tied to an installation.

The severity field is not set for this bug.
:towhite, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(towhite)
Flags: needinfo?(towhite) → needinfo?(lgreco)
You need to log in before you can comment on or make changes to this bug.