New issue
Advanced search Search tips

Issue 865881 link

Starred by 3 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Jul 27
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Variable named 'browser' collides with browser namespace in extension content scripts

Reported by varjolin...@gmail.com, Jul 20

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0

Steps to reproduce the problem:
1. Download KeePassXC-Browser from Chrome Web Store (or any other extension which uses browser-polyfill to use the browser namespace in content scripts)
2. Go to https://jsfiddle.net/y2eb1t44/7/ and inspect the page
3. See the error message 'Uncaught TypeError: Cannot read property 'onMessage' of undefined' in the console.

What is the expected behavior?
Using JavaScript via browser namespace should work normally.

What went wrong?
Any variable in content script named 'browser' will collide with browser namespace. Any element with id 'browser' will show this behaviour.

Did this work before? No 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: OS X 10.13
Flash Version:
 
Just to clarify: this happens with all operating systems, not just with macOS.
Components: -Blink Platform>Extensions
Labels: OS-Android OS-Chrome OS-Linux OS-Windows
Tentatively assigning to the Extensions component because this sounds like it's about improper isolation between page content and extensions.
Am I correct that this improper isolation could be potentially dangerous? In theory it could be possible to override the whole browser.runtime and capture any data that is being sent via sendMessage() etc.
It's simply a bug in the Mozilla's polyfill: it checks for 'undefined' which is incorrect because DOM elements with an id create implicit global variables. This is probably a known bug, which is not trivial to fix, as it's hard to imagine they could overlook something so simple. There is no leaking, the content script's object is inaccessible for the page scripts.
Why does Chromium create such implicit global variables and allows content scripts to use them? This cannot be reproduced with non-Chromium browsers.
All standards-compliant browsers create implicit global variables for DOM elements with an id attribute, including Firefox. This is the correct behavior inherited from some ancient browser. The only reason why this specific bug isn't triggered in Firefox is because Firefox has a built-in window.browser variable which overrides the implicit one. 
Thank you for the explanation. I'll make an issue to the webextension-polyfill project.
Cc: chelamcherla@chromium.org
Labels: Target-70 M-70 FoundIn-70 Needs-Feedback
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on latest stable 67.0.3396.99 and latest canary 70.0.3501.0 using Windows 10, Mac 10.13.6 and Debian. i.e; Obsderved 'Uncaught TypeError: Cannot read property 'onMessage' of undefined' in the console

This issue is seen from M-60. Hence considering this issue as Non-Regression and marking as Untriaged for MAc/Linux/Windows.

@ varjolintuvarjo: Could you please provide app url to test this issue on android.

Comment 9 Deleted

@chelamcherla: I'm sorry but I don't have an Android device and I'm not sure what is needed here. Is a test extension published in Chrome Web Store enough?
Status: WontFix (was: Untriaged)
As discussed in the comments, this is an issue in the polyfill provided, not in chrome.  Closing this out.

Sign in to add a comment