In MDN docs it states:
So, I would think that these resources cannot be read by any web page outside the extension, since they would need to know the random UUID. However, the same documentation also states:To enable a web page to contain an <img> element whose src attribute points to this image, you could specify "web_accessible_resources" like this:
"web_accessible_resources": ["images/my-image.png"]
The file will then be available using a URL like:
moz-extension://<extension-UUID>/images/my-image.png"
<extension-UUID> is not your extension's ID. It is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.
I don't understand how "any website may then link or redirect to that page". Wouldn't it need to know the random UUID?Note that if you make a page web-accessible, then any website may then link or redirect to that page. The page should then treat any input (POST data, for examples) as if it came from an untrusted source, just as a normal web page should.