Browser action and page action popups should only permit relative (extension) URLs and not remote URLs
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox106 fixed)
Tracking | Status | |
---|---|---|
firefox106 | --- | fixed |
People
(Reporter: robwu, Assigned: rpl)
References
(Blocks 1 open bug)
Details
(Whiteboard: [mv3-m2])
Attachments
(3 files)
As seen in bug 1758922, it is currently possible to specify a http(s) URL as the default_popup
or popup
option in the page_action
/ browser_action
/ action
APIs.
We should limit this to extension URLs only, and at the very least enforce this for MV3 extensions.
E.g. in the browser_action
API definition, default_popup
is defined to be relativeUrl
(instead of strictRelativeUrl
):
https://searchfox.org/mozilla-central/rev/f8db81665dc2833fff09dc7eef200539ac1fd351/toolkit/components/extensions/schemas/browser_action.json#32
In the browserAction.setPopup
method, we may consider allowing absolute extension URLs if it is the same moz-extension:
-URL as the extension itself.
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
This patch fixes a pre-existing "setPopup + openPopup" GeckoView test case that was apparently disable
because it was failing intermittently.
While trying to run it locally I noticed that the test was getting stuck because there is no
tab delegate that would be allowing the test extension to update the current tab from
http://example.com to the extension page that was meant to be triggering the openPopup API call.
Loading the extension page using mainSession.loadUrl seems to be making the test able to fully
run and pass.
It is possible that the test case was originally working but got broken while it started to be ignored,
the test was missing to await for the setPopup call to be fully handled and that may have been likele
a source of intermittent failures over a larger number of runs.
Depends on D154547
Assignee | ||
Comment 3•2 years ago
|
||
This patch extends restricts setPopup to extension url to MV2 extensions running on GeckoView.
Depends on D154548
Comment 5•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5f0091c3b617
https://hg.mozilla.org/mozilla-central/rev/9c27270397ea
https://hg.mozilla.org/mozilla-central/rev/26965dd3b9d9
Description
•