Web pages accessing chrome:// is forbidden · 2008-04-13 22:30 by Wladimir Palant
I didn’t believe that this would still be fixed in Firefox 3 but bug 292789 has landed. The timing could be better, having such a big change go in shortly before a release is certainly less than optimal — yet still, I think that we are much better off now than we were before.
Until now any web page could load scripts or images from the chrome:// protocol — files that are meant to be used by the browser itself. So as a web page you can write:
And that will load the script actually in use by the Firefox browser. I have seen many bogus vulnerability reports about this feature but it isn’t an issue in itself: just because you can include a browser’s script in your web page, it will not execute with browser’s privileges. The effect will be exactly the same when you take this file from some Firefox installation and upload it to your website, the script will have the same privileges that your site has. The files available via chrome:// protocol are exactly the same in each Firefox installation, and by reading them you don’t gain any information you couldn’t get by other means.
Well, almost no information. Thing is, extensions will add new files that will also be available via chrome:// protocol. So a web page could use this code:
And that image would only load if Adblock Plus is installed. As some people noticed, this is a nifty way to detect which extensions a site’s visitor has installed. And, obviously, when I browse the web I don’t want everybody to know what I use, in particular because that would allow targeted attacks at vulnerabilities in extensions. I designed a workaround – but it is used only by Adblock Plus and a bunch of other extensions.
Nice to see that Firefox fixes this issue now. In the new world, only chrome://browser/ and chrome://toolkit/ are accessible from the web (these are the files we want to be accessible). Everything else (including extensions) is hidden however. If for some reason an extension needs its files to be accessible from the web, it can specify the flag
contentaccessible=yes in chrome.manifest — but that should be a rare exception.
There is a catch however. Firefox 2 does not understand the flag
contentaccessible=yes and will ignore the entire line. If your extension should be backwards compatible, something like this will work for both Firefox 2 and Firefox 3:
content mypackage location/ content mypackage location/ contentaccessible=yes
I expected to use this for Adblock Plus (temporarily at least) because of the “object tabs” feature, but surprisingly it wasn’t broken. Good for me.
Commenting is closed for this article.