Firefox 3.6/Personas Uplift Security Review

From MozillaWiki
Jump to: navigation, search

Overview

Describe the goals and objectives of the feature here.

Background links

Security and Privacy

  • What potential security issues in your feature have you already considered and addressed?
    • We don't verify that the files stored as $PROFILE_FOLDER/lightweighttheme-header and $PROFILE_FOLDER/lightweighttheme-footer are in fact images.
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
    • The xpinstall whitelist is re-used, since the capability it's associated with is "Install Extensions or Themes", where lightweight themes fit in. getpersonas.com is by default whitelisted.

Exported APIs

The browser accepts these events from content: InstallBrowserTheme, PreviewBrowserTheme, ResetBrowserThemePreview. InstallBrowserTheme requires the event target to have a data-browsertheme attribute which contains a JSON string.

Example page: https://bug511771.bugzilla.mozilla.org/attachment.cgi?id=399709

The decoded object must contain: "id", "name", "headerURL". It may contain: "footerURL", "textcolor", "accentcolor", "iconURL", "previewURL", "author", "description", "homepageURL". All values must be strings. Keys ending with "URL" must be absolute URLs or URLs relative to the event target's baseURI. Invalid URLs and URLs that don't start with https?: are dropped. Empty strings are dropped.

The InstallBrowserTheme causes the theme to be installed if the site is on the xpinstall whitelist and raises a notification bar otherwise. The PreviewBrowserTheme and ResetBrowserThemePreview events are allowed for whitelisted sites only. Previews are reset automatically after 30 seconds, in case the ResetBrowserThemePreview event won't be dispatched.

Module interactions

Data

  • What data is read or parsed by this feature?
    • the data-browsertheme attribute is read from content and parsed using JSON.parse
  • What storage formats are used?
    • prefs (boolean & JSON strings) and actual files: $PROFILE_FOLDER/lightweighttheme-header, $PROFILE_FOLDER/lightweighttheme-footer

Reliability

  • What failure modes or decision points are presented to the user?
    • When the InstallBrowserTheme event is dispatched on a content node, a notification bar appears, saying that this site (the location.host of the node's ownerDocument) attempted to install a theme. There's an "Allow" button. Not approved for 1.9.2 yet: When a theme has been installed, another notifcation bar confirms that a theme has been installed, allowing the user to undo this or manage themes (open the add-ons manager's themes pane).
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
    • We depend on nsIWebBrowserPersist.saveURI when it comes to storing the header and footer images.

Configuration

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

  • The xpinstall whitelist should not used for this new feature. Instead, a new whitelist should be used. See bug 522522.
  • what parts of the browser can personas modify?
    • only the main window, and then only backgrounds
  • should animated images be disallowed?
    • jesse's concern: after an hour, image animates to show something that looks like a message from firefox
    • since it's only the background and not clickable, it probably wouldn't be too convincing
    • could we make animated personas go through a review process for inclusion on getpersonas.com, at least?
  • when you install a persona, is the image stored forever, or do we hit the server sometimes (e.g. for updates or falling out of the cache)?
    • what are the privacy and MITM implications?
  • does leaving the page while a preview is active always reset the preview?
  • only allow permanently applying a theme at times when popups are allowed (e.g. on click)?
  • Review guidelines for personas are changing, defined later.
  • images are limited to JPG and PNG on the personas site (using Image Magic to check the formats).
  • the client itself doesn't check.
  • client stores the images, but will check for updates.
  • When a site installs a persona we bring up an info bar with an undo button
    • Undo button is not much of a security measure, since it is likely to go away if the site causes the page to navigate, causes the tab to be closed, or makes Firefox crash.
  • Sites can be unwhitelisted in site prefs
  • unwhitelisted sites get an "allow once" infobar if they try to install a persona
  • unwhitelisted sites cannot preview a persona
  • update checks should obey the addon update check pref
  • urls for themes are restricted to http/https