WebExtensions & security with "web_accessible_resources"

Discussion of general topics about Mozilla Firefox
Post Reply
Wizard13
Posts: 4
Joined: October 2nd, 2017, 11:21 am

WebExtensions & security with "web_accessible_resources"

Post by Wizard13 »

Hi!
In MDN docs it states:
To enable a web page to contain an <img> element whose src attribute points to this image, you could specify "web_accessible_resources" like this:

"web_accessible_resources": ["images/my-image.png"]

The file will then be available using a URL like:

moz-extension://<extension-UUID>/images/my-image.png"

<extension-UUID> is not your extension's ID. It is randomly generated for every browser instance. This prevents websites from fingerprinting a browser by examining the extensions it has installed.
So, I would think that these resources cannot be read by any web page outside the extension, since they would need to know the random UUID. However, the same documentation also states:
Note that if you make a page web-accessible, then any website may then link or redirect to that page. The page should then treat any input (POST data, for examples) as if it came from an untrusted source, just as a normal web page should.
I don't understand how "any website may then link or redirect to that page". Wouldn't it need to know the random UUID?
Post Reply