From 64c09f5ee2b171e68a97b1d15aca048244cc5432 Mon Sep 17 00:00:00 2001 From: Shane Caraveo Date: Thu, 7 Sep 2017 17:09:40 -0400 Subject: [PATCH] Bug 1380597 - Ensure the url can be loaded by the extension. r=kmag MozReview-Commit-ID: GH31FlHxpVu --- browser/components/extensions/ext-browserAction.js | 3 +++ browser/components/extensions/ext-pageAction.js | 3 +++ browser/components/extensions/ext-sidebarAction.js | 3 +++ browser/components/extensions/schemas/page_action.json | 1 + .../test/browser/browser_ext_browserAction_context.js | 9 +++++++++ .../test/browser/browser_ext_pageAction_context.js | 8 ++++++++ .../test/browser/browser_ext_sidebarAction_context.js | 9 +++++++++ 7 files changed, 36 insertions(+) diff --git a/browser/components/extensions/ext-browserAction.js b/browser/components/extensions/ext-browserAction.js index df1d19dfe500..b28860e75ede 100644 --- a/browser/components/extensions/ext-browserAction.js +++ b/browser/components/extensions/ext-browserAction.js @@ -648,6 +648,9 @@ this.browserAction = class extends ExtensionAPI { // For internal consistency, we currently resolve both relative to the // calling context. let url = details.popup && context.uri.resolve(details.popup); + if (url && !context.checkLoadURL(url)) { + return Promise.reject({message: `Access denied for URL ${url}`}); + } browserAction.setProperty(tab, "popup", url); }, diff --git a/browser/components/extensions/ext-pageAction.js b/browser/components/extensions/ext-pageAction.js index ba64cd270b91..eddb0124cb4c 100644 --- a/browser/components/extensions/ext-pageAction.js +++ b/browser/components/extensions/ext-pageAction.js @@ -329,6 +329,9 @@ this.pageAction = class extends ExtensionAPI { // For internal consistency, we currently resolve both relative to the // calling context. let url = details.popup && context.uri.resolve(details.popup); + if (url && !context.checkLoadURL(url)) { + return Promise.reject({message: `Access denied for URL ${url}`}); + } pageAction.setProperty(tab, "popup", url); }, diff --git a/browser/components/extensions/ext-sidebarAction.js b/browser/components/extensions/ext-sidebarAction.js index daea910bd1f4..5284a0ffa304 100644 --- a/browser/components/extensions/ext-sidebarAction.js +++ b/browser/components/extensions/ext-sidebarAction.js @@ -417,6 +417,9 @@ this.sidebarAction = class extends ExtensionAPI { url = null; } else if (details.panel !== "") { url = context.uri.resolve(details.panel); + if (!context.checkLoadURL(url)) { + return Promise.reject({message: `Access denied for URL ${url}`}); + } } else { throw new ExtensionError("Invalid url for sidebar panel."); } diff --git a/browser/components/extensions/schemas/page_action.json b/browser/components/extensions/schemas/page_action.json index dfb9e1519942..5a1448b4c5a7 100644 --- a/browser/components/extensions/schemas/page_action.json +++ b/browser/components/extensions/schemas/page_action.json @@ -177,6 +177,7 @@ { "name": "setPopup", "type": "function", + "async": true, "description": "Sets the html document to be opened as a popup when the user clicks on the page action's icon.", "parameters": [ { diff --git a/browser/components/extensions/test/browser/browser_ext_browserAction_context.js b/browser/components/extensions/test/browser/browser_ext_browserAction_context.js index 2c2e356ef43c..e943ba6eb44e 100644 --- a/browser/components/extensions/test/browser/browser_ext_browserAction_context.js +++ b/browser/components/extensions/test/browser/browser_ext_browserAction_context.js @@ -391,6 +391,15 @@ add_task(async function testDefaultTitle() { browser.test.log("Set default title to null string. Expect null string from API, extension title in UI."); browser.browserAction.setTitle({title: ""}); + await expectDefaults(details[3]); + expect(details[3]); + }, + async expect => { + browser.test.assertRejects( + browser.browserAction.setPopup({popup: "about:addons"}), + /Access denied for URL about:addons/, + "unable to set popup to about:addons"); + await expectDefaults(details[3]); expect(details[3]); }, diff --git a/browser/components/extensions/test/browser/browser_ext_pageAction_context.js b/browser/components/extensions/test/browser/browser_ext_pageAction_context.js index 793e14df1ac3..4b76c881c36a 100644 --- a/browser/components/extensions/test/browser/browser_ext_pageAction_context.js +++ b/browser/components/extensions/test/browser/browser_ext_pageAction_context.js @@ -170,6 +170,14 @@ add_task(async function testTabSwitchContext() { await browser.pageAction.hide(tabs[0]); expect(null); }, + async expect => { + browser.test.assertRejects( + browser.pageAction.setPopup({tabId: tabs[0], popup: "about:addons"}), + /Access denied for URL about:addons/, + "unable to set popup to about:addons"); + + expect(null); + }, ]; }, }); diff --git a/browser/components/extensions/test/browser/browser_ext_sidebarAction_context.js b/browser/components/extensions/test/browser/browser_ext_sidebarAction_context.js index abb083ec2e2a..910cf1e02598 100644 --- a/browser/components/extensions/test/browser/browser_ext_sidebarAction_context.js +++ b/browser/components/extensions/test/browser/browser_ext_sidebarAction_context.js @@ -372,6 +372,15 @@ add_task(async function testDefaultTitle() { browser.test.log("Set default title to null string. Expect null string from API, extension title in UI."); browser.sidebarAction.setTitle({title: ""}); + await expectDefaults(details[3]); + expect(details[3]); + }, + async expect => { + browser.test.assertRejects( + browser.sidebarAction.setPanel({panel: "about:addons"}), + /Access denied for URL about:addons/, + "unable to set panel to about:addons"); + await expectDefaults(details[3]); expect(details[3]); },