Closed Bug 1270412 Opened 8 years ago Closed 8 years ago

No way to load content scripts in about:home, about:newtab pages

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: oyenamit, Unassigned)

References

Details

I am the developer of MacDict Firefox extension[1] that allows users to select any text on the webpage and look it up in OS X Dictionary application. The about:home page typically contains 1-2 lines of text snippets served by Mozilla. Also, the user might type text into the search field of about:home or about:newtab and select it.

But there is no declarative way to load content scripts into about:home or about:newtab. Content scripts can be specified to be loaded for sites that match certain patterns in manifest.json. The only patterns allowed are of the form <scheme>://<host><path> or the special pattern "<all_urls>". There is no way to provide matching pattern for about:home or about:newtab.

Without the ability to load content scripts into about:home, about:newtab etc, extension behavior might seem inconsistent to the end users.


[1] https://addons.mozilla.org/en-US/firefox/addon/macdict/
Version: 48 Branch → 49 Branch
I'm sorry, but this isn't something we can support. Scripts in about:newtab and about:home run with elevated privileges, so allowing extension scripts to run in them would allow them to escape their sandboxes.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
That's awfully draconian. Chrome allows content scripts in chrome:// pages (behind a flag), and newtab can even be replaced by an extension.

Maybe instead those pages could be rewritten with less privilege, as WebExtension content+background scripts.
Sad to see this WONTFIXed. We're currently working on a tool to help blind people crowdsource questions on pictures and we figured the best way to do this was a WebExtension to customize about:newtab. I guess we'll need to find another way.
Yoric, would bug 1234150 meet your needs?  That's currently blocked on required permissions, but those should be landing in 53.
Part of this previously posted as bug 1342379.

Disallowing content scripts from running on certain pages is a big change from previous Firefox APIs. This will negatively affect some popular addons, such as Vimperator and Leechblock. We would like to understand the Firefox team's decision here and to possibly offer our counterarguments.

## Risks as we understand them

1. Privilege escalation from WebExtension to full control of the browser allows:
    1. Malicious addons to access the host system and Firefox internals
    2. Malware to target privileged addons
    3. Addon developers to reduce the stability of Firefox by deliberately or accidentally escaping the sandbox

## Additional risks as articulated on #WebExtensions

2. The necessary severe warnings to the user are problematic for usability, security and other reasons.

Is this a fair characterisation of the risks?
Blocks: 1406642
Product: Toolkit → WebExtensions
You need to log in before you can comment on or make changes to this bug.