Security/B2G/PermissionReview/SystemXHR

From MozillaWiki
Jump to: navigation, search

Exposing SystemXHR

External references

Use cases

The following gaia apps use systemXHR: Bookmark, Calendar, Smart Collections, Communications, Usage, E-Mail, Find My Device, Purchased Media, FTU, Homescreen, PDF Viewer, Browser, Settings, System

Fetching Icon

  • Bookmarks: fetching icon to show how this will be in the home screen if the user finally adds the bookmark (code located in shared/js/homescreens/icon.js)
  • Collections: Retrieve the icon for the content
  • Homescreen: retrieving icons
  • Search: fetching icon for searchProviders
  • Shared:
    • shared/elements/gaia_grid/js/items
      • icon loading

Talking to Mozilla services

  • Findmydevice: Communicating with https://find.firefox.com
  • Feedback: sending feedback to Mozilla servers
  • System:
    • talking to metrics server & ftu_ping

Other

  • Calendar: Sync calendar information via Caldav
  • Email:
  • Purchased Media: Talking to media download servers
  • Pdf Viewer: loading pdfs (I guess, haven't traced)
  • Themes: loading wallpaper blobs via XHR

Threats

  1. Accessing resources behind a firewall

Mitigation Strategies

Implement CORS on Mozilla properties

  • Why haven't we already done this? (ie are there technical limitations?)

Provide a CORS proxy for non-mozilla endpoints

  • Is Mozilla the best to provide this? CDN provider is obvious choice...

Ensure that endpoint is available on public internet

  • Technically challenging (if not infeasible on many networks)
  • Private address space ( RFC 1918 & RFC 4193) not enough
  • For FxOS could we allow SystemXHR over mobile network connection ?
    • are mobile networks _always_ public?
    • Limited benefit (added risk that web content can force traffic through mobile)
    • Could we use convergence style approach for SSL endpoints (connect via wifi and mobile, verify same cert, and then allow via wifi?) Not safe, system might use same cert for internal/external sites)

Provide specific APis which allows cross-origin access

  • e.g. feed-scraper API or icon retrieval API