[Support] No Resource URI Leak

This is the official support thread for No Resource URI Leak (Git repository).
https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/

Why this add-on was created

(Brief) History of chrome resources

  • Traditionally all browser and add-on resources were accessible from the Web.
  • But this was very insecure.
  • So unflagged resources with chrome:// URIs were made inaccessible within content.
  • However, there were no restrictions about resource:// URIs. There are less privileged, but it was still a big problem.
  • Now, content can’t use XMLHTTPRequest (Fetch) or <iframe> with resource:// files.

The Leak

HTML <img src>, <link rel="stylesheet" href> and <script src> tags can be used to load browser or add-on resources under resource:// URIs. This makes for an easy add-on detection method. You can also use the fact to extract information from an executed script.

https://bugzilla.mozilla.org/show_bug.cgi?id=503221
https://bugzilla.mozilla.org/show_bug.cgi?id=863246

Detect installed add-ons

  • Event handlers work on resource:// resources on a content page. computedStyles may also leak information.
  • Scripts on the page can communicate with scripts loaded from resource:// URIs. These scripts run with the content principal but can be used for fingerprinting, vulnerability detection or other problematic purposes.

What this means

  • You can’t really fake your browser locale or OS. These true values can be obtained with the resource:// leak.
  • Web sites will look for installed extensions on the user’s browser. This is terrible for privacy.
  • Larger attack surface in case of an exploit.
  • Even specially hardened browsers like Tor Browser are affected.

The add-on

The problem should really be fixed in mozilla-central. But we can mitigate it with an add-on in the meantime. This is an add-on just for that. It uses nsIContentPolicy to selectively filter resource:// access. It does not restrict loading resource:// files directory into a tab, or access from a privileged context.

We hope everyone to know about the problem. Especially, if you have an ad blocker, or a privacy add-on, or many add-ons installed, you are really strongly encouraged to try this add-on to protect your privacy.

Compatibility

  • Some add-ons that load files into Web pages may break.

Thank you for using No Resource URI Leak.

Known issues:

  • about:addons is restricted from loading a resource:// file. This breaks certain add-ons.
    • We’ll whitelist about:addons in the coming release.

CONFIRMED WONTFIX

  • The browser stylesheet to center an image directly loaded on a tab is blocked. This means that when you load an image file into a tab, the image will not be centered.
    • WONTFIX because this is a kind of potentially insecure access the add-on tries to block…

Found a potential issue with the add-on? We want to hear from you.
Also please make sure the problem you found is not caused by another add-on unrelated to this add-on.

Fix pushed (Whitelist about:addons)
https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/versions/

Fixed in 0.2.1:

  • view-source: pages broken
    • Whitelisted view-source: (Secure because Web pages can’t access them these days)

Some research is needed on a Thunderbird UI compatibility problem.

Help needed: Someone reported that the add-on breaks the “Saved Logins” dialog. We could not confirm this. Do you know about the problem? If so, let us know. Thanks.

There’s some discussion of the Pale Moon version of this addon on GitHub, especially a bug report @ https://github.com/MoonchildProductions/Pale-Moon/issues/445#issuecomment-226959128 . Did you see that? Any comments? (For the sake of the PM community, if you could reply there, it’d be great!)

1 Like

I’m following Pale Moon issues there but I don’t generally use GitHub myself.
FYI this is our ticket:
https://notabug.org/desktopd/no-resource-uri-leak/issues/2

Problem reporting guide


Enable debugging

  1. Open about:addons and go to the add-on’s preferences.
  2. Enable debugging messages.
  3. Click [Update].

Reproduce the problem.

  • Make sure to report what exactly you did, step by step.

Copy the debugging messages

  1. Open Hamburger Menu > Developer > Browser Console.
  2. Copy the contents.

Let us know!


Thank you!

hello thank you for addon
i see to many of this in ctrl+shift+j is this normal?

Exception { message: “Component returned failure code: 0x…”, result: 2147746065, name: “NS_ERROR_NOT_AVAILABLE”, filename: “resource://gre/modules/commonjs/too…”, lineNumber: 84, columnNumber: 0, data: null, stack: “observe@resource://gre/modules/comm…”, location: XPCWrappedNative_NoHelper } filter.js:95

also i see to of this

ResourceFilter: Rejected “chrome://global/locale/intl.css” about:neterror?e=fileNotFound&u=resource%3A//gre/modules/commonjs/too%25E2%2580%25A6&c=UTF-8&f=regular&d=Firefox%20can%27t%20find%20the%20file%20at%20resource%3A//gre/modules/commonjs/too%E2%80%A6. [object XMLStylesheetProcessingInstruction] XPCWrappedNative_NoHelper { URI: XPCWrappedNative_NoHelper, cspJSON: “{}”, jarPrefix: “”, originAttributes: Object, origin: “moz-safe-about:neterror?e=fileNotFo…”, originNoSuffix: “moz-safe-about:neterror?e=fileNotFo…”, originSuffix: “”, baseDomain: “about:neterror?e=fileNotFound&u=res…”, appStatus: 0, appId: 0 }

Do you see any visible problem with these errors?

i have no idea

The fix is included in the latest alpha version of Tor Browser! Many thanks to everyone interested in the problem.

https://blog.torproject.org/blog/tor-browser-65a2-released

About the problem of missing UI elements…

Hints for users

  • You can disable the blocking without disabling the add-on
    • Change the add-on’s Preferences in Add-ons Manager (about:addons)
  • You can disable protection for certain domains of internal browser resources. (See above)
  • You can use context menus to control videos – if controls are missing!

Call for help (technical)

This will solve many (if not most) issues related to the use of the add-on!

https://discourse.mozilla-community.org/t/how-to-determine-the-mime-type-of-the-loading-document-in-a-content-policy/9917?u=desktopd

I just copied the styles for e.g. centering images and videos from the resource:// css and created a user style with stylish.

I get a lot of

Exception { message: "Component returned failure code: 0x…", result: 2147746065, name: "NS_ERROR_NOT_AVAILABLE", filename: "resource://gre/modules/commonjs/too…", lineNumber: 84, columnNumber: 0, data: null, stack: "observe@resource://gre/modules/comm…", location: XPCWrappedNative_NoHelper }

in my browser console which point at this addon