MozillaZine

WebExtensions & security with "web_accessible_resources"

Discussion of general topics about Mozilla Firefox
Wizard13
 
Posts: 4
Joined: October 2nd, 2017, 11:21 am

Post Posted November 1st, 2018, 12:07 pm

Hi!
In MDN docs it states:
To enable a web page to contain an <img> element whose src attribute points to this image, you could specify "web_accessible_resources" like this:

"web_accessible_resources": ["images/my-image.png"]

The file will then be available using a URL like:

moz-extension://<extension-UUID>/images/my-image.png"

<extension-UUID> is not your extension's ID. It is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.

So, I would think that these resources cannot be read by any web page outside the extension, since they would need to know the random UUID. However, the same documentation also states:
Note that if you make a page web-accessible, then any website may then link or redirect to that page. The page should then treat any input (POST data, for examples) as if it came from an untrusted source, just as a normal web page should.

I don't understand how "any website may then link or redirect to that page". Wouldn't it need to know the random UUID?

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 4 guests