Security/Reviews/Firefox6/ReviewNotes/NPAPIAsyncDrawing

Date of Review: 2011.05.24

Items Reviewed:

• AsyncDrawing for Plugins
• bug 651192

Notes

• plug-ins create buffers for use in drawing and tell browser which one should be used to draw to screen
  • old buffer unset as current in this case
  • 2 buffers usually, one current and one in background
  • plug-in can draw as needed
• supplemental rather than replace or change, drawing is negotiated on a per instance basis with the browser

Issues:

Questions:

Is this the async plugin feature that's going to fix security bugs such as bug 552002 and bug 591409 ?

• no, only used if plug-in vendor uses is thus this is not related to these bugs directly
• will these be fixed if a plug-in vendor chooses to use the new model?
  • does not fix them, but the implementation presumes that the new model is immune to these issues
• are we ever going to be able to fix these security bugs for plugins that don't switch to the new API? yes, bug 598425
• this fixes our implementation-detail fix to the API level

Will this API be safe for untrusted, low-privilege plugins? Is this an API that happens entirely within the child process?

• unknown as low privilege plug-in work has not been scoped
  • complete sandbox model would not work with this and appears unlikely
  • bitmap drawing model would work and seems more likely

Is this an API that happens entirely within the child process?

• No this does not happen within the child, it communicates with the parent process

Does anything exciting happen when the plugin changes size?

• buffers of plugin are drawn to size of plug-in area, plugin is responsible for changing size if needed
• we send a size-change event to the plugin. until the plugin responds, we (crop? stretch?) when we paint :)
• low chance of races

Actions: