Rob Wu [:robwu] Assignee
	Description • 6 years ago

Extensions are only allowed to load some URLs (http(s), ftp:, moz-extension:,  and about:blank).

However, these restrictions can be bypassed by using pipes in the URL passed to the browser.windows.create API.

STR
1. Install any add-on (no extension permissions required).
2. Visit about:debugging and click on the Debug button at the add-on.
3. Run the following snippet:

browser.windows.create({
  url: "about:blank?|file:///tmp/|about:config"
});

Expected:
- An "about:blank" URL should be opened (maybe with some junk in its query string).

Actual:
- Three tabs are opened: "about:blank", "file:///tmp" and "about:config". The last two URLs are restricted URLs.


The crazy behavior of | will hopefully be addressed by bug 1485961 (not adding see also because that bug is public).

I will covertly plug this hole (together with bug 1486738) via (public) bug 1393570.

	Rob Wu [:robwu] Assignee
	Comment 1 • 6 years ago

I have submitted the patch for bug 1393570: https://phabricator.services.mozilla.com/D4929

That patch fixes this bug, by adding a number of parameters so that the code goes through this branch:
https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/browser/base/content/browser.js#1658

instead of this branch (which ends up splitting the URL on pipes, causing this bug):
https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/browser/base/content/browser.js#1687-1688
https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/browser/base/content/browser.js#2171-2188

	Rob Wu [:robwu] Assignee
	Comment 2 • 6 years ago

FIxed by bug 1393570.

	Victor Carciu
	Comment 3 • 6 years ago

Verified as fixed using Firefox 64(buildid 20181105164654) on Winsows 10x64 and macOS 10.13.6.

I also confirmed that issue was reproducible on earlier FF versions.

I will attach a postfix screenshot.