Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: Missing host permission for the tab, and any iframes #35

Open
glitsj16 opened this issue Nov 8, 2021 · 4 comments
Open

Error: Missing host permission for the tab, and any iframes #35

glitsj16 opened this issue Nov 8, 2021 · 4 comments

Comments

@glitsj16
Copy link

glitsj16 commented Nov 8, 2021

OS: Arch Linux
Firefox 94.0
CSS Exfil Protection 1.1.0

I've been seeing the below in the Firefox browser console for a while now, so IMO it's not related to Firefox versions (seeing it in Firefox Nightly too FWIW). Note that the WE reports all green protections.

relevant browser console snippet:

Unchecked lastError value: Error: Missing host permission for the tab, and any iframes 3 background.js:27
@ghost
Copy link

ghost commented Nov 8, 2021

hello @glitsj16 this is a idea for @mlgualtieri the problem is maybe the new fission method or the extension improved sandbox (do not disable this feature in your browser i tell this to help him resolve the problem).

@mlgualtieri
Copy link
Owner

I will take a deeper look. I haven't personally seen this in my Firefox. Do you have a URL that triggers the issue? From your description it sounds like viewing the developer console shows the error when you visit URLs that have an iframe. Is that correct?

It should have permission to scan iframes, so something else must be going on:
https://github.com/mlgualtieri/CSS-Exfil-Protection/blob/master/firefox/manifest.json#L40-L41

@glitsj16
Copy link
Author

glitsj16 commented Nov 9, 2021

@BirdInFire Thanks for pointing out potential problems. I do have fission enabled and didn't mess with any Firefox settings related to the browser's internal sandbox. My about:support page shows Effective Content Process Sandbox Level is 4, which, if I'm not mistaken, is the strongest level available.

Do you have a URL that triggers the issue?
[...] console shows the error when you visit URLs that have an iframe. Is that correct?

@mlgualtieri Yes to both questions. After some more testing it turns out the above error is only thrown on URL's that use the file://format. That explains things I guess. Looking at both the permissions and the optional_permissions API's there might be a way to 'fix' this but it might very well be edge-cases. The files in question are pages I fully wrote myself, contain very basic HTML/CSS and are read-only. I'm not knowledgeable whatsoever on CSS data exfiltration attacks though, so I leave it up to you to take all this in context. Many thanks for your speedy response and feel free to ask any additional info you'd need if you decide this would need additional work on your side.

Regards!

@mlgualtieri
Copy link
Owner

After some more testing it turns out the above error is only thrown on URL's that use the file://format.

Ah yes... that makes sense now since it's not asking for permission for file:// URLs in the manifest. I don't think it makes a lot of sense to add that permission in, but it does make sense to see if I can add a check to avoid the error you are seeing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants