Security/Reviews/ReaderMode

• Property "SecReview solution chosen" (as page type) with input value "* All parsing done on client side

  2 main components: 1) parser 2) The UI Workflow:

  • access page
  • page view event from gecko
  • spawn a chrome worker which consumes a string (the HTML from the page) (serialized using the XML serializer)
  • This worker has a super simplfied DOM parser (we don't have access to the DOM from the worker) - creates a DOM-ish tree. Runs the readibility alg and returns the title, article content, etc.
  • After this - at this point we work out if the page is readible or not - if it is, the icon appears
    • When clicked, the about:reader page shows
    • This takes the result from the chrome worker and sends it to a non-priv about page.
    • (there's now also some sanitizing on the content - nsiparserutils?)
      • Currently, the sanitizer is blacklisting - people will try to fool the parser

  Long term plan is to have the content in an iFrame but disable script in the page. We can't use the DOM parser because:

  • Threading constraints (single threaded)

  We try to not parse as early as possible - we want to avoid parsing whenever we can Solution chosen out of neccessity When things are added to the reading list, their content is stored in an indexedDB (but NOT in places DB) for about:reader (not from the domain of the page/content)

  • Put in there from chrome code - caches, then adds bookmark
    • Tracked by click on unprivileged page (then priviliged code from a callback)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "Security issues have been identified with (earlier versions) of this - see https://bugzilla.mozilla.org/show_bug.cgi?id=778582 - following the issue identified here, various changes have been made to tighten things up (including removal of chrome privs from the about:reader page).

  https://bugzilla.mozilla.org/show_bug.cgi?id=785992 contains a patch that sanitizes the content being loaded into reader mode. it uses ParserUtils::ParseFragment : + let parserUtils = Cc["@mozilla.org/parserutils;1"].getService(Ci.nsIParserUtils); + let contentFragment = parserUtils.parseFragment(article.content, Ci.nsIParserUtils.SanitizerDropForms, + false, articleUri, this._contentElement);

  this disables scripts on the document via its script loader" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
• Property "SecReview threat brainstorming" (as page type) with input value "* script injection - the sanitizer attempts to stop this
  • • could use CSP once we support CSP in  ?
      • Potential issues with the reader chrome if we do this
    • could use iframe sandbox ?
  • runs in an unprivileged about: page
    • lucasr has tried accessing various chrome things from this page to make sure it can't (mgoodwin will also try this)
    • not associated with domain of original article (awesome !)
  • Sanitizer attacks
    • Currently the sanitizer blacklists
    • people will try to fool the parser - can we instead try to whitelist allowed tags / attributes" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

mgoodwin::perform more testing on accessing chrome stuff from the about:reader page::w/c24/09/2012 (no bug required for this) lucasr::change parser filtering from blacklist style to whitelist style - include URL scheme whitelisting (http, https, FTP) (bug to be filed)::

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);