I have an extension that is blocked from the review process because it gets a url from an external source (a windows application) and navigate to this url.
Mozilla told us to sanitize the URL before using it and they gave us this link as a guideline. Although it doesn’t explain how to use it for URL sanitization
We are using for example this code to navigate to new url browser.tabs.update(request.tabId, {url: request.url});
where the request.url is that our windows application send to extension
What it the correct way to sanitize the url to background script of extension?
The user is able to add a URL to our windows app and the app communicate via native host to the extension to create/navigate to this URL.
The issue is that mozilla review team has blocked us because we use the url from the external source without sanitize it first. But we are not able to find how to do it correctly.
Our application is an RPA tool, and the user can do whatever he needs. We don’t know each user case and what he might need to achieve. As a result, we need to sanitize it only to comply with Mozilla review
But maybe just the possibility to redirect user into any webpage is dangerous enough.
I can imagine the worst case scenario being that an attacker that gains access to his server (or just a new owner) would buy a 0-day vulnerability for Firefox (on some black market) and then redirect all addon users into some malicious page and BAM, viruses everywhere! The worst nightmare.