Closed Bug 2011234 Opened 3 months ago Closed 2 months ago

Extensions can dynamically execute code in their moz-extension: documents with tabs/scripting.executeScript

Categories

(WebExtensions :: General, defect, P1)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox-esr140 wontfix, firefox147 wontfix, firefox148 wontfix, firefox149 fixed)

Status:
RESOLVED FIXED
Milestone:
149 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr140 --- wontfix
firefox147 --- wontfix
firefox148 --- wontfix
firefox149 --- fixed

People

(Reporter: robwu, Assigned: rpl)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [addons-jira][adv-main149-])

Attachments

(6 files)

executeScript-in-extension.zip
993 bytes, application/zip
Details
Bug 2011234 - Support restriction on content script moz-extension urls matching and enable restriction by default in Nightly. r=robwu!
48 bytes, text/x-phabricator-request
Details | Review
Bug 2011234 - Test coverage for executeScript APIs on moz-extensions pages r=robwu!
48 bytes, text/x-phabricator-request
Details | Review
Bug 2011234 - Log a deprecation warning on content script injection into WebExtensions page or subframes. r?robwu!
48 bytes, text/x-phabricator-request
Details | Review
Bug 2011234 - Collect emergency rollback pref in Glean telemetry probe. r?robwu!
48 bytes, text/x-phabricator-request
Details | Review
Bug 2011234 - Collect Glean telemetry event on content script matching moz-extension documents. r?robwu!
48 bytes, text/x-phabricator-request
Details | Review

The tabs.executeScript and scripting.executeScript functions allow extensions to run arbitrary code (strings) in privileged extension contexts.

In Firefox 55, an attempt to call tabs.executeScript for a moz-extension: tab resulted in the following error:

Missing host permission for tab

The above is the intended behavior, confirmed in bug 1280801 (where a request for the ability to do so was closed as intentional), and this also matches Chrome's behavior (current behavior, but I also spot checked as far back as Chrome 40, released 11 years ago).

In Firefox 56 and later, execution succeeds, due to changes in bug 1271354, which added logic that unconditionally registers an extension's own URL as a granted permission (and the logic still exists). The original intent was for webRequest to allow matching of the URL (which does not even work - the unit test (test_chrome_ext_webrequest_mozextension.html) is always skipped), but the implementation enables content scripts to run in an extension's own origin as an unintended side effect.

But the ability to inject in one's own frames was explicitly declared as intentional in bug 1439012, and even documented at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript

This ability for extensions to trivially execute code in privileged extension contexts is at odds with other initiatives to avoid string-based code execution in extensions, such as the default CSP that restricts script-src to extension URLs, and even the removal of the ability to allowlist remote sources in MV3 (bug 1581608).

STR:

  1. Visit about:debugging and load the following extension. Or use web-ext run
  2. Look at the page, which displays the result of calling tabs.executeScript with code location.href

Expected:

  • Execution should fail. E.g. Firefox 56 shows Missing host permission for tab

Actual:

  • Execution succeeds. The moz-extension:-URL is displayed.

In bug 2004404, an extension encountered a bug because faster content script execution in about:blank, coupled with extension logic that called tabs.executeScript for the calling frame, caused a content script to execute in the moz-extension: document that the extension loaded in the tab. :vhilla asked whether this execution was intentional in https://bugzilla.mozilla.org/show_bug.cgi?id=2004404#c11 and noted that Chrome did not exhibit the same behavior.

See Also: → 2004404

Set release status flags based on info from the regressing bug 1271354

:mixedpuppy, since you are the author of the regressor, bug 1271354, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox147: --- → affected
status-firefox148: --- → affected
status-firefox149: --- → affected
status-firefox-esr140: --- → affected
Flags: needinfo?(mixedpuppy)

(clearing needinfo, we will revisit this bug during the next triage meeting)

Flags: needinfo?(mixedpuppy)
See Also: → 1280801
Severity: -- → S2
Priority: -- → P1
See Also: → https://mozilla-hub.atlassian.net/browse/WEBEXT-2568
Whiteboard: [addons-jira]
Assignee: nobody → lgreco
Status: NEW → ASSIGNED

"mitigation-bypass" in the sense that we have tried to prevent extensions from being able to "eval" strings in a more-than-web privileged context, as Rob noted at the end of comment 0

Keywords: csectype-mitigation-bypass, sec-moderate

This week is the final week of beta for Fx148.
:luca, do you think this will target a later release, or do you plan to land and request uplifts this week?

Flags: needinfo?(lgreco)

We are planning to land a depreciation warning and let it ride the train, then flip the pref that enforces the new behavior by default.

I discussed this bug with Luca and dveditz and we agreed to open up the bug because the change in behavior will be obvious, and need to be documented.

Group: firefox-core-security
Flags: needinfo?(lgreco)
Keywords: dev-doc-needed
Attachment #9539056 - Attachment description: (secure) → Bug 2011234 - Support restriction on content script moz-extension urls matching and enable restriction by default in Nightly. r=robwu!
Attachment #9539057 - Attachment description: (secure) → Bug 2011234 - Test coverage for executeScript APIs on moz-extensions pages r=robwu!
Attachment #9540372 - Attachment description: (secure) → Bug 2011234 - Log a deprecation warning on content script injection into WebExtensions page or subframes. r?robwu!
Attachment #9540373 - Attachment description: (secure) → Bug 2011234 - Collect emergency rollback pref in Glean telemetry probe. r?robwu!
Attachment #9540374 - Attachment description: (secure) → Bug 2011234 - Collect Glean telemetry event on content script matching moz-extension documents. r?robwu!
Blocks: 2015559
Pushed by luca.greco@alcacoop.it: https://github.com/mozilla-firefox/firefox/commit/2a23653e7c4e https://hg.mozilla.org/integration/autoland/rev/4d5f28af1a2d Support restriction on content script moz-extension urls matching and enable restriction by default in Nightly. r=robwu https://github.com/mozilla-firefox/firefox/commit/508c9ea781b7 https://hg.mozilla.org/integration/autoland/rev/6fe6f431e418 Test coverage for executeScript APIs on moz-extensions pages r=robwu https://github.com/mozilla-firefox/firefox/commit/eb46c1133614 https://hg.mozilla.org/integration/autoland/rev/cca2666ee322 Log a deprecation warning on content script injection into WebExtensions page or subframes. r=robwu https://github.com/mozilla-firefox/firefox/commit/3d72fa8cd4a4 https://hg.mozilla.org/integration/autoland/rev/f214f66b343d Collect emergency rollback pref in Glean telemetry probe. r=robwu https://github.com/mozilla-firefox/firefox/commit/539c7f9ea52a https://hg.mozilla.org/integration/autoland/rev/7decec007f35 Collect Glean telemetry event on content script matching moz-extension documents. r=robwu
See Also: → 2016020

Should we have a nightly-only 149 release note to announce this change?

Flags: needinfo?(lgreco)

A release note on MDN only is sufficient.

dev-doc-needed keyword has already been added, we should mention the deprecation in 149 (warnings only on beta/release, enforced by default in Nightly) with the intent to enforce the restrictions by default on 152.

This affects tabs.executeScript, tabs.insertCSS, tabs.removeCSS, scripting.executeScript, scripting.insertCSS, scripting.removeCSS.

The tabs.executeScript documentation currently shows an example of execution in an extension page, that and the description should be modified: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript

There are also mentions of extensions getting host access to their own origin, in https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#host_permissions starting at

In Firefox, from version 56 onwards, extensions automatically get host permissions for their own origin, which is of the form:

... that needs to be removed/replaced. Similarly at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions

It does not require a special mention, because the default expectation is for a web page to be able to fetch() their own URLs, which also applies to extension documents. In the original first comment in the report here, I linked to some historical reason for the change - that has long been obsolete by now, so the only notable effect of the implicit permission was executeScript functionality, which we are deprecating with this bug.

Flags: needinfo?(lgreco)

github.com/mbnuqw/sidebery/issues/2356#issuecomment-3932263746 explains a significant, negative downstream impact of this. I know of no alternative (although I am a lay person, in comparison to the ticket author).

Thanks for sharing RJLB. I wrote a reply at https://github.com/mbnuqw/sidebery/issues/2356#issuecomment-3940917522 . The short version is that I do see alternatives, except possibly for one case: arbitrary code execution. Perhaps we should consider prioritizing the implementation of bug 1685123 as a mitigation.

Keywords: dev-doc-neededdev-doc-complete
See Also: → 1685123
Whiteboard: [addons-jira] → [addons-jira][adv-main149+]

Even though this bug report is fixed, the protection is not enabled for release yet. See bug 2015559

Whiteboard: [addons-jira][adv-main149+] → [addons-jira][adv-main149-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: