SocialAPIMultiProvider

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Social API Multiple Providers
Target https://mana.mozilla.org/wiki/display/SECURITY/Social+API+multi-providers+Security+Review

this should have been public :)

Prev review info: https://mana.mozilla.org/wiki/display/SECURITY/Social+API+Security+Review


Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • install process for additional social providers
    • (for Facebook) user goes to page, "turn on" button, starts social API, also has an undo panel
  • For Firefox 22 only social providers included on our whitelist can be installed, these are restricted to organisations with whom we have working relationships or partnerships with.
  • In Firefox 23 we will allow any social provider to be installed. (can be listed on AMO or marketplace)
    • additional panel for non-whitelisted provers, panel has a notice and enable button and undo panel
  • implementation taken from light weight themes process (DOM event)
    • manifest data recieved from target element, validated, then presented with enable panel
    • manifest stored into prefs

UI :

  • sidebar and content
    • sidebar from us
    • content page on the site
  • buttons in chrome UI
    • can be defined from provider and bound by sameorigin

What solutions/approaches were considered other than the proposed solution?

  • use add-ons, did not want installation of additional items (e.g. features--addons can do anything)
  • JSON file from provider, seperatly loaded - unneccessary given it can come from page

Why was this solution chosen?

  • most direct pathway with least friction

Any security threats already considered in the design and why?

  • same origin required for additional pages to page requesting installation
  • images can come from an alternate domain
  • backend also supports blocklisting (hard and soft via AMO)

Threat Brainstorming

  • UI redressing attack on the "Enable Services" doorhanger
    • Is there a delay before a user can click, similar to the addons dialog
  • diff between disable and remove?
    • disable only turns it off, removes from list
    • remove takes it out
  • provider loaded, sidebar hidden
    • frame worker loaded (as workers can not currently support sockets)
  • supported schemes for iconURLs
    • created as image tags
    • mobile may handle differently but SOP protects <img> data
  • directory provided manifests?
  • Property "SecReview feature goal" (as page type) with input value "* install process for additional social providers
      • (for Facebook) user goes to page, "turn on" button, starts social API, also has an undo panel
    • For Firefox 22 only social providers included on our whitelist can be installed, these are restricted to organisations with whom we have working relationships or partnerships with.
    • In Firefox 23 we will allow any social provider to be installed. (can be listed on AMO or marketplace)
      • additional panel for non-whitelisted provers, panel has a notice and enable button and undo panel
    • implementation taken from light weight themes process (DOM event)
      • manifest data recieved from target element, validated, then presented with enable panel
      • manifest stored into prefs

    UI :

    • sidebar and content
      • sidebar from us
      • content page on the site
    • buttons in chrome UI
      • can be defined from provider and bound by sameorigin" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview alt solutions" (as page type) with input value "* use add-ons, did not want installation of additional items (e.g. features--addons can do anything)
    • JSON file from provider, seperatly loaded - unneccessary given it can come from page" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threats considered" (as page type) with input value "* same origin required for additional pages to page requesting installation
    • images can come from an alternate domain
    • backend also supports blocklisting (hard and soft via AMO)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview threat brainstorming" (as page type) with input value "* UI redressing attack on the "Enable Services" doorhanger
      • Is there a delay before a user can click, similar to the addons dialog
    • diff between disable and remove?
      • disable only turns it off, removes from list
      • remove takes it out
    • provider loaded, sidebar hidden
      • frame worker loaded (as workers can not currently support sockets)
    • supported schemes for iconURLs
      • created as image tags
      • mobile may handle differently but SOP protects data
    • directory provided manifests?" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* [dchan] - Follow up with clouserw on origin verification process for AMO / marketplace directory provided manifests - I dont think that he has even begun thinking about social support at all yet
  • [dchan] - Look into about:socialerror chrome privileges and file bug if needed
  • [psiinon] Test to make sure only script accessible cookies will be available to providers
  • [psinnon] http/https discussion
  • [psiinon] Investigate collecting FHR metrics inc http/https
Retrieved from "https://wiki.mozilla.org/index.php?title=SocialAPIMultiProvider&oldid=654166"