Closed Bug 308808 Opened 15 years ago Closed 15 years ago
Web pages can detect which extensions are installed (Check
Load URI call for <script> allows chrome: URLs)
Simple demonstration page detecting the presence of GreaseMonkey, IE View, FlashGot and Mouse Gestures.
for extensions that ship their own interfaces, webpages can also check for if ("nsIFoo" in Components.interfaces) to detect them...
<script> must be doing some kind of CheckLoadURI, because a src attribute with a file: URL is blocked. (That's a good thing, because otherwise it would be possible to read someone's prefs file if you knew its location.) Why aren't src attributes with chrome: URLs blocked?
Summary: Web pages can detect which extensions are installed → Web pages can detect which extensions are installed (CheckLoadURI call for <script> allows chrome: URLs)
*** This bug has been marked as a duplicate of 292789 ***
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Since this was duped against a public bug, please remove the security flag.
15 years ago
(In reply to comment #3) > <script> must be doing some kind of CheckLoadURI[....] Why aren't src > attributes with chrome: URLs blocked? Because Vidur told it not to, apparently http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsScriptLoader.cpp&mark=517-518#510 Easy enough to fix, wonder who we'd break?
Remote XUL, apparently, see bug 292789.
You need to log in before you can comment on or make changes to this bug.