Firefox3.1/Media Queries Security Review
From MozillaWiki
Contents
Overview
Describe the goals and objectives of the feature here.
- Background links
Security and Privacy
- What security issues do you address in your project?
- parsing of and data structures representing syntax coming off the Web
- Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
- no configuration files or prefs
- Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
- The parser is responsible for building data structures that maintain a number of invariants, based on the rules in the specification. The code that uses these data structures will then, in some cases, assume these invariants hold. Security bugs could result if the parser fails to maintain the correct invariants or if the code using the data structures makes incorrect assumptions about what invariants the parser is responsible for maintaining
- The media queries specification gives the author the ability to detect the things described by media features that can be queried. Many of these (screen dimensions, window dimensions, resolution, default font sizes) could already be detected in other ways, but some are likely new (e.g., color depth of screen, monochrome vs. color screen or printer).
Exported APIs
- Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
- CSS syntax, syntax of media attributes, and DOM interfaces to both, as described by css3-mediaqueries
- Does it interoperate with a web service? How will it do so?
- no
- Explain the significant file formats, names, syntax, and semantics.
- CSS syntax and syntax of media attributes as described by css3-mediaqueries
- Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
- documented by specification
- Does it change any existing interfaces?
- changes syntax of CSS and of media attribute on link and style in HTML and ?xml-stylesheet?, as defined by specification
Module interactions
- What other modules are used (REQUIRES in the makefile, interfaces)
- gfx and widget code to query device capabilities
Data
- What data is read or parsed by this feature
- CSS style sheets, media attributes from HTML link or style element or ?xml-stylesheet? PI
- What is the output of this feature
- which style sheets or @media elements to use (or not), which in turn affects computed style data
- What storage formats are used
- N/A
Reliability
- What failure modes or decision points are presented to the user?
- N/A
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- N/A
Configuration
- Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
- no
- Are there build options for developers? [#ifdefs, ac_add_options, etc.]
- no
- What ranges for the tunable are appropriate? How are they determined?
- N/A
- What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
- N/A
Relationships to other projects
Are there related projects in the community?
- If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
- Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
Review comments
- Media queries can enable web sites to fingerprint users based on several attributes of their system (screen size, color depth, etc). Most of these, if not all, are already available to script, but CSS properties makes it possible without script.
- resolution might be new information, but David thought you could get close to that by figuring out the pixel height of some text at a specified point size.
- We believe the TorButton is concerned with this fingerprinting aspect enough to have overridden window.screen to return fake values. They will also be concerned about this and we need some sort of hook to override behavior based on fake values for these properties.