Fix #2435, disable Screenshots on addons.mozilla.org and testpilot.fi…

…refox.com
mozilla-services · Apr 10, 2017 · 48a17bb · 48a17bb
1 parent bdac9a3
commit 48a17bb
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/addon/webextension/background/main.js b/addon/webextension/background/main.js
@@ -133,7 +133,7 @@ window.main = (function () {
     if (shouldOpenMyShots(url)) {
       return true;
     }
-    if (isShotOrMyShotPage(url) || /^(?:about|data|moz-extension):/i.test(url)) {
+    if (isShotOrMyShotPage(url) || /^(?:about|data|moz-extension):/i.test(url) || isBlacklistedUrl(url)) {
       return false;
     }
     return true;
@@ -155,6 +155,18 @@ window.main = (function () {
     return false;
   }
 
+  function isBlacklistedUrl(url) {
+    // These specific domains are not allowed for general WebExtension permission reasons
+    // Discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=1310082
+    // List of domains copied from: https://dxr.mozilla.org/mozilla-central/source/browser/app/permissions#18-19
+    // Note we disable it here to be informative, the security check is done in WebExtension code
+    const badDomains = ["addons.mozilla.org", "testpilot.firefox.com"];
+    let domain = url.replace(/^https?:\/\//i, "");
+    domain = domain.replace(/\/.*/, "").replace(/:.*/, "");
+    domain = domain.toLowerCase();
+    return badDomains.includes(domain);
+  }
+
   browser.tabs.onUpdated.addListener(catcher.watchFunction((id, info, tab) => {
     if (info.url && tab.selected) {
       if (urlEnabled(info.url)) {