content sandbox leaks environment between extension versions

Confirmed Issue #13552759 • Assigned to Irfan A.

Details

Author
V S.
Created
Sep 1, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

  1. Install extension (then restart edge to avoid #13536532)
  2. Enable extension. It should alert 'no leak yet’.
  3. Reload extension. It should again alert 'no leak yet’.

Result: It alerts that a variable leaked.
To reproduce the expected behavior in Chrome and Firefox, switch to a normal tab within a second after reloading the extension - tabs.executeScript doesn’t work in a privileged context.

It is reasonable to expect a clean environment after reloading the extension - most of the web is built on that assumption. Having to clean up a potentially really messy environment (let’s say you were debugging something) introduces a lot of error-prone boilerplate, having to remember to reload the tab will result in people not reloading the tab sometimes and then encountering needless frustration. Besides, both Firefox and Chrome provide this guarantee.

If there needs to be communication between different instances over reloads and your security needs are low (I’ve needed this twice so far overall), document.documentElement.dataset is perfectly fine for that.

Attachments

Comments and activity

  • PS: This is again related to #13552759, but not quite the same issue.

  • Microsoft Edge Team

    Changed Status to “Confirmed”

    Changed Status from “Confirmed”

    Changed Assigned To to “James M.”

  • Hello,

    Thank you for providing this information about the issue. After thorough testing, we are unable to reproduce this problem in Edge with the information at hand. Specifically, Edge always alerts ‘no leak yet’ upon reloading the extension. Please update this case when you can provide more details, such as the clear difference between the actual results and the expected results, and a video capture of the repro steps for clarification. Also, please include the version of Edge.

    Best Wishes,
    The MS Edge Team

  • I’ve added screencasts for Edge, Chrome and Firefox. Expected behavior: That displayed by both Chrome and Firefox.
    Edge version used: 16281.

  • Microsoft Edge Team

    Changed Assigned To to “Akshay P.”

    Changed Assigned To from “Akshay P.” to “Irfan A.”

    Changed Status to “Confirmed”

You need to sign in to your Microsoft account to add a comment.

Sign in