search

mlgualtieri / CSS-Exfil-Protection

Official repository for the CSS Exfil Protection browser extensions.
MIT License
149 stars 11 forks source link

Error: Missing host permission for the tab, and any iframes #35

Open glitsj16 opened 2 years ago

glitsj16 commented 2 years ago

OS: Arch Linux Firefox 94.0 CSS Exfil Protection 1.1.0

I've been seeing the below in the Firefox browser console for a while now, so IMO it's not related to Firefox versions (seeing it in Firefox Nightly too FWIW). Note that the WE reports all green protections.

relevant browser console snippet:

Unchecked lastError value: Error: Missing host permission for the tab, and any iframes 3 background.js:27
ghost commented 2 years ago

hello @glitsj16 this is a idea for @mlgualtieri the problem is maybe the new fission method or the extension improved sandbox (do not disable this feature in your browser i tell this to help him resolve the problem).

mlgualtieri commented 2 years ago

I will take a deeper look. I haven't personally seen this in my Firefox. Do you have a URL that triggers the issue? From your description it sounds like viewing the developer console shows the error when you visit URLs that have an iframe. Is that correct?

It should have permission to scan iframes, so something else must be going on: https://github.com/mlgualtieri/CSS-Exfil-Protection/blob/master/firefox/manifest.json#L40-L41

glitsj16 commented 2 years ago

@BirdInFire Thanks for pointing out potential problems. I do have fission enabled and didn't mess with any Firefox settings related to the browser's internal sandbox. My about:support page shows Effective Content Process Sandbox Level is 4, which, if I'm not mistaken, is the strongest level available.

Do you have a URL that triggers the issue? [...] console shows the error when you visit URLs that have an iframe. Is that correct?

@mlgualtieri Yes to both questions. After some more testing it turns out the above error is only thrown on URL's that use the file://format. That explains things I guess. Looking at both the permissions and the optional_permissions API's there might be a way to 'fix' this but it might very well be edge-cases. The files in question are pages I fully wrote myself, contain very basic HTML/CSS and are read-only. I'm not knowledgeable whatsoever on CSS data exfiltration attacks though, so I leave it up to you to take all this in context. Many thanks for your speedy response and feel free to ask any additional info you'd need if you decide this would need additional work on your side.

Regards!

mlgualtieri commented 2 years ago

After some more testing it turns out the above error is only thrown on URL's that use the file://format.

Ah yes... that makes sense now since it's not asking for permission for file:// URLs in the manifest. I don't think it makes a lot of sense to add that permission in, but it does make sense to see if I can add a check to avoid the error you are seeing.