Thunderbird:Thunderbird3:ContentSecReview/Content Policy Security Review
From MozillaWiki
Contents
Overview
Thunderbird 2 based all content policy decisions on the item (message or remote content) displayed within the message pane. This was regardless of whether the content was within the message pane browser element or not.
The policy has been altered so that content policy decisions are based on the uri of the same type docshell. If it is a message then special restrictions apply.
- Background links
- bug 374578 Block remote content for messages only - and not just in the message pane
- bug 491921 Write tests for different content types for the content policy
Security and Privacy
- Is this feature a security feature? If it is, what security issues is it intended to resolve?
- Yes - incorrect restrictions on content loading.
- What potential security issues in your feature have you already considered and addressed?
From the main bug, the general order of checks is currently:
1) If Suite, accept anything that isn't from an app type of APP_TYPE_MAIL. 2) Reject TYPE_OBJECT (plugins) if we're not allowing plugins. 3) Disable JS on TYPE_DOCUMENT. 4) If the requesting location is trusted (chrome, resource, about, file), accept the load. 5) If the content location is exposed (as per prefs) or is chrome, resource, data then accept the load. 6) If the content location isn't http, https or file then reject the load. 7) If allowing all remote images/content, accept the load. 8) If we're the compose window, call ComposeShouldLoad to do special processing (unchanged from TB 2). 9) Get the originating URI from the docshell that is found by GetSameTypeRootItem (so the root content docshell that we've set up, to account for multiple iframes). 10) If the originating URI is http or https, accept the load. 11) If the originating URI isn't a mailnews message URI, reject the load. 12) Look at the mailnews message uri and determine if we should load it based on: * the remote content setting in the message header * it is an RSS article (accept if it is). * the domain the message is trying to load (mail.trustedDomains) * address book whitelists
- Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
- Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
- How are transitions in/out of Private Browsing mode handled?
Exported APIs
N/A
Module interactions
N/A
Data
N/A
Reliability
- What failure modes or decision points are presented to the user?
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
Configuration
- Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
- "mailnews.message_display.disable_remote_image"
- allows all content to be displayed per gecko content policies.
- "mailnews.message_display.allow.plugins"
- allows plugins to be loaded. This currently applies to any content, not specific to remote content in messages.
- "mail.trusteddomains"
- remote content will be allowed in messages if the hostname of the remote content is in this preference list.
- "mailnews.message_display.disable_remote_image"
Relationships to other projects
Are there related projects in the community?
- If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
- Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?