Resource URIs are mostly unprivileged and that is good for security. However:
resource://
is pretty much accessible from Web. And by default all files in SDK-based add-ons are in resource://
Does anyone know how to prevent embedding resource://addon-name-here/icon.png
from Web content for example?
The problem. Detect an add-on from unpriv. Web content:
<img onload="..." onerror="..." src="resource://addon-name-here/icon.png" />
Also:
<script>
// This code suppresses most errors from CommonJS code
var require = function () {
return new Proxy(function () {}, {get(t, n, r){return r}});
};
var exports = {}, module = require;
</script>
<!-- The following script will run without the privileges. So no trivial security issues but terrible for privacy. -->
<script src="resource://addon-name-here/some/script.js" onerror="..." onload="..."></script>
This is very bad for privacy of our users.
Some may argue that add-ons anyway change browser fingerprints so resource://
is not a problem. However, some add-ons can be written in a such way that fingerprinting is otherwise nearly impossible. resource://
being detectable from Web is the remaining privacy threat, which allows for classifying users based on installed add-ons.
Some add-ons do require their resource://
files being available from Web. However, that is no excuse for this leak available for every add-on. Most add-ons don’t need this “feature”.
Is there any plans in Mozilla to restrict resource://
URIs? This is rather critical. Some downstream developers of Firefox are interested in it.