Local IP wildcard for webextensions' host permission


(CR) #1

I need to create an extension that communicate with local webserver (i.e. qbittorrent web ui). I need to define host permission like "http://192.168.1.*", so that anyone else can use it as long as their webserver is local. But I can’t do it since it produces error:

Reading manifest: Error processing permissions.0: Value "http://192.158.1.*/" must either: must either [must either [be one of ["clipboardRead", "clipboardWrite", "geolocation", "idle", "notifications"], be one of ["bookmarks"], be one of ["find"], be one of ["history"], be one of ["activeTab", "tabs"], be one of ["browserSettings"], be one of ["cookies"], be one of ["topSites"], be one of ["webNavigation"], or be one of ["webRequest", "webRequestBlocking"]], be one of ["alarms", "mozillaAddons", "storage", "unlimitedStorage"], be one of ["browsingData"], be one of ["devtools"], be one of ["identity"], be one of ["menus", "contextMenus"], be one of ["pkcs11"], be one of ["geckoProfiler"], be one of ["sessions"], be one of ["contextualIdentities"], be one of ["downloads", "downloads.open"], be one of ["management"], be one of ["privacy"], be one of ["proxy"], be one of ["nativeMessaging"], be one of ["theme"], or match the pattern /^experiments(\.\w+)+$/], or must either [be one of ["<all_urls>"], match the pattern /^(https?|wss?|file|ftp|\*):\/\/(\*|\*\.[^*/]+|[^*/]+)\/.*$/, or match the pattern /^file:\/\/\/.*$/]

The only solution that I can do now is using <all_urls> permission. Considering that the extension also uses cookies permission, it will appears too suspicious since it can get any cookies from any site.

Is it possible to add local IP wildcard as host permission, or would there be a security problem? It should only be for IP ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Another solution would be defining keyword like <local_ip> that falls into those ranges.


(Baptiste Thémine) #2

According to the regular expression ^(https?|wss?|file|ftp|\*):\/\/(\*|\*\.[^*/]+|[^*/]+)\/.*$ and to the documentation, no it is not possible to define an IP range with wildcard in manifest permissions.


(erosman) #3

I had actually asked for a similar API but it was rejected.
https://bugzilla.mozilla.org/show_bug.cgi?id=1362849

Suggestions:

  • "http://*/*" would be better than "<all_urls>"
  • You can create a local domain name and use that ie "http://qbittorren/*"
  • You can still double check the requests in the code to make sure they are to the "http://192.168.1.*" before processing
  • Depending on how the extension works, you can limit content scripts to the local IP range