Security/Reviews/Firefox6/ReviewNotes/AddOns

From MozillaWiki
Jump to: navigation, search

Date of Review: 2011.05.25

Item Reviewed:

Add-on Installation

Pri1:

  • move from modal to arrow panel
  • timer change

- how is multiple at one being handled?

  • the dialogs will stack until a certain number then scroll (not z-index)
    • error handling still needs some work
  • Author not verified messaging changing for Add-ons from A.M.O
    • Need verification that reviews have been done to a level that supports this security statement
    • too much reliance on automated scan for this check, more in depth analysis is needed
    • Concept is good

Pri2:

  • download before install and ask -or- ask then download
    • old: ask then download, changed in FX4 to download then ask for several reasons (ie. compatibility)
  • ask then download is the preferred method from a security perspective

Issues:

  • possible API changes to support messaging for reviewed, "good" add-ons

Followups:

  • need a set of heuristics for making decisions on how the add-on experience flows (future work)
  • review error handling when complete

Third Party Add-on Confirmation

  • if install without restart, tab closes
  • old style: continue changes to "you have to restart"
  • can also be enabled form add-ons manager

Questions:

Issues:

  • N/A

Followups:

  • N/A

Previous Discussions

From 4.7.2011

  • possible changes to add-on dialogs and their impact
  • goal improve add-on installation for users
    • lengthy steps seem in consistent to users, ex: countdown, and UI differences
    • perception on AMO that even AMO is not trusted even when add-on comes from Moz
    • implication is this should not be trusted even if linked to by trusted spaces.
  • streamline process, make easier, less clicks, possibly reduce or remove countdown

Q: What are the risks entailed in installation and is AMO less risk than other sites?

  • Should be clear that AMO is a website that is part of the app, but what if AMO is hacked? Does this neccessarily help?
  • If you go to AMO as a website then this is a preferred experience, like the bits in FX
    • Desire: AMO having a different status
    • Dialoge is needed as click-jacking is still prevalent/possible on AMO
    • A site cannot frame the add-on tab, where as getting a click attack on AMO is somewhat trivial
  • Need clear dialog for AMO sandbox

mockup: https://people.mozilla.com/%7Ejboriss/dump/flow_chart_for_addon_download2.pdf

suggestions:

  • We could lower the delay from 2 noisy seconds to 1 quiet second (added to goals above)
  • We could show the user-intent-verification first, before the download finishes. Then there aren't 2 separate "waiting" steps as long as the download is fast (added to goals above)
     
    • this would require AMO to supply the stuff that's supposed to appear in the dialog, as part of the installtrigger call, but it would make the UI much better.
  • We could make it so any link to addons.mozilla.org opens in a new tab, and use browser-side defenses against clickjacking on that tab (not a current goal)
  • We could deny InstallTrigger if clicked within 1 second of selecting the tab/window, to make clickjacking AMO harder
  • Rather than author information, which is never verified, could show AMO status
    • (not on AMO; sandboxed; full review; old version)
    • popularity
    • average review score

Unresolved Questions:

  • AMO warnings (slows down firefox? has privacy policy?)
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Firefox6/ReviewNotes/AddOns&oldid=383664"