Saving a page in an incognito/private/container tab is insecure #1606
Comments
|
Thank you again for the detailed issue. I fixed it in Chrome since it's an easy change, and the repository is specific to the MV3 port. Regarding Firefox, do you confirm the extension page used to fetch resources would be visible to the user? |
|
I may be wrong but currently I don't see any way to create an extension page invisibly. It may be possible through the |
|
Thanks for the confirmation, I had a doubt and I'm pretty sure you're right. It's not great in terms of user experience. Maybe I'll wait for Mozilla to implement the |
|
You are right. Though I think the inconsistency and potential security concern also deserves a care... Besides saving resources with a visible extension page in the same session as a tab, the other choice may be to simply disallow (or provide a warning about) saving a private/container tab. |
|
I'm wondering if the page of the sidebar could be used for this. Maybe that could be an acceptable workaround, i.e. force the user to let the sidebar open. |
Describe the bug
When saving a page in a private/incognito window, resources fetched by the bacgkround script of the extension are in the same session as a normal window, and thus can result in an inconsistent state or, worsely, leak private information.
For Chromium this could be fixed using the
incognito: splitmanifest, which forces the extension to use incognito-specific background scripts.For Firefox, fetches for a private tab need to be done in an extension page in a private window. Additionally, the same issue also applies to a page in a non-default container.
To Reproduce
Expected behavior
Resources should be saved correctly.
Environment
The text was updated successfully, but these errors were encountered: