Security/Reviews/Firefox6/ReviewNotes/ServerDomEvents

Server Sent DOM Events 2011.06.27

• Add support for Server-Sent DOM Events (Remote Events) bug 338583
• Spec http://dev.w3.org/html5/eventsource/
• Related Bugs
  • bug 664179
• Current Status: In aurora for 6 (without CORS)

Introduce Feature

• Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
  • support data that a server can push to a web page
  • only supports http[s] today but could support other protocols in the future
• What solutions/approaches were considered other than the proposed solution?
  • multi-part xmlhttp is also being implemented as other browsers support this
  • websockets (which are two-way) requires big changes to servers
• Why was this solution chosen?
• Any security threats already considered in the design and why?
  • same domain connections

Questions

• does support for http mean we also support https?
  • yes but should be tested and confirmed as correct
• content has to opt-in to receive messages?
  • event source object receives the messages
    • it's not in the document tree, so there's no capture/bubbling phase
• two parallel listeners... what happens?
  • both get a reference to the same event (no race condition)
  • do they share a (network) connection, or are there multiple connections opened?
    • Different connections? TODO: check to make sure they both see the same event object in the client.
    • even if they are in different pages??? <-- good question, maybe separate pages should not share connection, but same page should (spec says?)
• how is the URI in the constructor validated (ie check it's not a chrome URI or some other funky kind of URI) ?
• how does CSP factor into EventSource usage ?
  • it's currently type script, but should probably be changed to type XHR (or its own type)
• If you're on an HTTPS page and the event source references HTTP URL, does the mixed content UI get triggered (hide secure badging for the page)?
  • Not an issue for same-origin, but for CORS support needs to be considered.
  • Do we want to consider https-using-http to be "mixed display" (allowed) or "mixed scripting" (blocked) when we adopt this distinction from chromium? (how about equivalent to XHR -- then we can deal with them together -- probably "mixed scripting")
• can file:// urls construct an EventSource object ? (MIME type should stop this, since the local file won't have the magic text/eventsource MIME type)
  • FF aborts with "Firefox can't establish a connection to server at ..."
• interaction with bfcache?
  • frozen document gets its connections closed. thawed document gets reconnected.

Threat Brainstorming

Server attacking client

• DoS by opening a bunch of connections, maxing out our limits
  • differs from XMLHttpRequest because it is expected to be long-lived (but same risk as multiple long-lived XHRs)
  • maybe we should have a per-tab limit so a single tab can't eat your networking limits
• the spec specifies the event stream format and how to parse it - possible input validation threat here. how complex is the parser? should it get fuzzing and/or extra review?
  • The current spec offers 5 commands incl. the comment command ":". The syntax for each command is: "command_name: data EOL". Current fuzz tests showed no results 07/02/11.
• Does this allow events to be fired (at web pages) at times when it would be unusual for events to fire?
• Do we have tests to ensure we don't crash/deadlock/leak if a script responds to receiving an event by:
  • closing the tab
  • closing the window
  • closing the socket
• Server could find out whether GC happened by seeing whether a thawed document has an EventSource reconnection
  • Violation of GC confidentiality: http://wiki.ecmascript.org/doku.php?id=strawman:gc_semantics#confidentiality
  • Compatibility & intermittent-failure-in-the-wild hazard
  • Given http://dev.w3.org/html5/eventsource/#garbage-collection perhaps the solution is to reconnect iff there are onmessage listeners (which can be determined without running a GC)
  • We already have bugs with expandos and objects falling out of wrapper cache, fwiw

Server attacking other server

• If you've already XSSed a site, could EventSource let you do things you weren't previously able to accomplish? (CORS doesn't help here.)
  • Site must opt in with MIME type and CORS

MITM attacks

• At EOF, does that cause a partial message to be delivered to script? Spec issue!!!

Data attacking server & client

• [dveditz] Data validation / sanitization of ID, which browser re-sends to server upon reconnection
• What happens if there's a nul byte? (particularly when data is handled in C code)
• Data contains line break, causing client to think there's a separate message
  • Does every participant agree on which characters constitute line breaks?
    • Spec is clear: \n \r or combinations thereof.

Conclusions / Action Items

• [Olli] Test for HTTPS support
  • Test should ensure that invalid cert is a silent-to-the-user error
• [Olli] Test (with CORS support) if HTTP event listener on HTTPS page causes mixed-mode UI
• [Olli] File bug to change nsIContentPolicy content load type from SCRIPT to something like XHR 667490
• [cdiehl?] fuzz the protocol
• [dveditz] bug: Spec problems. (EOF partial messages)
  • Filed http://www.w3.org/Bugs/Public/show_bug.cgi?id=13071