optionsURL should not allow http(s) urls

RESOLVED WONTFIX

Status

()

Toolkit
Add-ons Manager
RESOLVED WONTFIX
7 years ago
a month ago

People

(Reporter: rstrong, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Not sure if this is prevented elsewhere but while debugging bug 608911 I found that it was opening an http url for the optionsURL.

Comment 1

7 years ago
Why wouldn't you just allow them and have them open up in a new tab?
I don't think supporting configuring an add-ons options via an http or even an https url would be a good thing. What use case are you thinking of?
There are restrictions for optionURL and iirc this used to be one of them. After thinking about it a bit more I don't see a problem with allowing http / https so wontfixing.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX

Comment 4

7 years ago
There should probably be a separate bug about what to do with http/https URLS. Currently they spawn a new window with no scrollbars that is unusable.
I'm reopening this because I think there are a couple of other things to think about.

As Michael says I'm not sure that opening a webpage in a top-level window is a good idea. There are probably spoofing issues if the http connection were hijacked or just if the page linked elsewhere.

If we did open it in a new tab then we have to consider what happens for other applications like Thunderbird that aren't webbrowsers and any normal method for opening pages would just launch them in the default browser, likely not what the extension author wanted.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
We have OPTIONS_TYPE_TAB for optionsType now days (added in bug 662004). I think we should automatically use that when optionsURL contains a remote URL and optionsType isn't specified. If optionsType is specified, and it's not OPTIONS_TYPE_TAB, then we disallow remote URLs (ie, return null for optionsURL). This is in line with how we currently handle optionsType for the other types, when its not specified in the install manifest.
Assignee: nobody → geoff
Status: REOPENED → ASSIGNED
Assignee: geoff → nobody
Status: ASSIGNED → NEW

Comment 7

a month ago
WebExtensions options pages are restricted to being extension URLs and other extension types are no longer supported.
Status: NEW → RESOLVED
Last Resolved: 7 years agoa month ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.