Security/Reviews/PluginOverlayAPI
Item Reviewed
| Plugin Overlay API | |||||||||
| Target | * http://mozilla.github.com/shumway/
Review Bug:
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
||||||||
- Source: http://mozilla.github.com/shumway/
- API docs: https://bugzilla.mozilla.org/attachment.cgi?id=647141
Review Bug:
| ID | Summary | Priority | Status |
|---|---|---|---|
| 776208 | Provide API for JavaScript extensions to create native plugins previews for specific mime type | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins.
This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox
Notes
Shumway will call registerPlayPreviewMimeType
When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element.
What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource.
This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something.
What solutions/approaches were considered other than the proposed solution?
Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need:
- add entries to the window.navigator.plugins (with the same name, descript, version and mime type as flash);
- intercept/forward all <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"> instantiations;
- and, suppress the plugins priority for the document loader factory.
Why was this solution chosen?
Less intervention into existing plugin loading base (nsObjectLoadingContent)
Any security threats already considered in the design and why?
`
Threat Brainstorming
- iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?
- preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up
- Property "SecReview feature goal" (as page type) with input value "To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins.
This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox
Notes
Shumway will call registerPlayPreviewMimeType
When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element.
What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource.
This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something.
[http://pastebin.mozilla.org/1735309 iframe box testing" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process. - Property "SecReview alt solutions" (as page type) with input value "Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need:
- add entries to the window.navigator.plugins (with the same name, descript, version and mime type as flash);
- intercept/forward all instantiations;
- and, suppress the plugins priority for the document loader factory." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?
- preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
| Action Item Status | In Progress | ||||||||||||||||||||
| Release Target | ` | ||||||||||||||||||||
| Action Items | |||||||||||||||||||||
Bugzilla query errorerror, http-bad-status, Array |
|||||||||||||||||||||
Who bug Action By When Completed date [NEW] new [DONE] Done [MISSED] Miss
Jethro
Arrange secreview for shumway Coincide with / follow shortly "rough alpha" ( suggest making secreview bug now, updating with time as appropriate) [DONE] : bug 780311
Yury
Remove preview iFrame (cleanup)
Dan / Ian / Mark / David
Investigate alternatives for null principal for resolving iFrame security issues 13th - 18th August
Bugzilla query error
error, http-bad-status, Array
