Traditionally all browser and add-on resources were accessible from the Web.
But this was very insecure.
So unflagged resources with chrome:// URIs were made inaccessible within content.
However, there were no restrictions about resource:// URIs. There are less privileged, but it was still a big problem.
Now, content can’t use XMLHTTPRequest (Fetch) or <iframe> with resource:// files.
The Leak
HTML <img src>, <link rel="stylesheet" href> and <script src> tags can be used to load browser or add-on resources under resource:// URIs. This makes for an easy add-on detection method. You can also use the fact to extract information from an executed script.
Detect installed add-ons
Event handlers work on resource:// resources on a content page. computedStyles may also leak information.
Scripts on the page can communicate with scripts loaded from resource:// URIs. These scripts run with the content principal but can be used for fingerprinting, vulnerability detection or other problematic purposes.
What this means
You can’t really fake your browser locale or OS. These true values can be obtained with the resource:// leak.
Web sites will look for installed extensions on the user’s browser. This is terrible for privacy.
The problem should really be fixed in mozilla-central. But we can mitigate it with an add-on in the meantime. This is an add-on just for that. It uses nsIContentPolicy to selectively filter resource:// access. It does not restrict loading resource:// files directory into a tab, or access from a privileged context.
We hope everyone to know about the problem. Especially, if you have an ad blocker, or a privacy add-on, or many add-ons installed, you are really strongly encouraged to try this add-on to protect your privacy.
Compatibility
Some add-ons that load files into Web pages may break.
about:addons is restricted from loading a resource:// file. This breaks certain add-ons.
We’ll whitelist about:addons in the coming release.
CONFIRMED WONTFIX
The browser stylesheet to center an image directly loaded on a tab is blocked. This means that when you load an image file into a tab, the image will not be centered.
WONTFIX because this is a kind of potentially insecure access the add-on tries to block…
Found a potential issue with the add-on? We want to hear from you.
Also please make sure the problem you found is not caused by another add-on unrelated to this add-on.
Help needed: Someone reported that the add-on breaks the “Saved Logins” dialog. We could not confirm this. Do you know about the problem? If so, let us know. Thanks.