Firefox3.1/AboutSessionrestore Security Review

Overview

about:sessionrestore is the new in-browser page displayed for repeated crashes from which users can choose to (selectively) restore the crashed session.

Background links

• Tracking bug 448976 - turn the Session Restore prompt into an error page
• Design mockup

Security and Privacy

• What security issues do you address in your project?
  • None
• Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
  • Wrongly configured prefs will break the SessionStore service as a whole. Shipped default preferences should prevent this from accidentally happening.
• Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • Web content must not be able to access about:sessionrestore, as this page contains potentially sensitive data (the whole session) and the possibility to load arbitrary URLs/cookies (needed to selectively restore the session). It is assumed that correctly implementing nsIAboutModule prevents this from happening.
• How are transitions in/out of Private Browsing mode handled?
  • about:sessionrestore is displayed before the user could enter private browsing mode.

Exported APIs

• Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
• Does it interoperate with a web service? How will it do so?
• Explain the significant file formats, names, syntax, and semantics.
• Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
• Does it change any existing interfaces?
  • No new API was added.

Module interactions

• What other modules are used (REQUIRES in the makefile, interfaces)
  • None (besides the SessionStore service component where the code has been added)

Data

• What data is read or parsed by this feature
  • Session data as provided by nsISessionStore (JSON format)
• What is the output of this feature
  • None/a restored session (same as to what SessionStore already does)
• What storage formats are used
  • None, the data is provided by nsSessionStore

Reliability

• What failure modes or decision points are presented to the user?
  • The user can decide to restore the crashing session (potentially unselecting unwanted tabs) or load the homepage (which loads in the same tab, so undo is possible)
• Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
  • No files are involved, all required data is stored inside the about:sessionrestore page and then backed up by SessionStore as form data is backed up for all web pages.

Configuration

• Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • The only added pref is browser.sessionstore.max_resumed_crashes (default value: 1) which determines after how many consecutive crashes about:sessionrestore is displayed (setting that value to -1 prevents the page from being displayed). Firefox in Safe Mode ignores this preference.
• Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • No
• What ranges for the tunable are appropriate? How are they determined?
• What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
  • Should the format emitted by nsISessionStore change (as opposed to extended), minor adjustments might be needed to gather all the required data for presentation.

Relationships to other projects

Are there related projects in the community?

• If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • No
• Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
  • No
• Added Question: How does this interact with private browsing mode? If you are in pb mode, and you crash and you come back, does it display sessions that were visited while in pb mode?

Review Comments

• do javascript: uris get restored? (seems like not)
• what principal do data: uris get? Need to test. (On undo-close-tab the principal seems to be preserved.) Do data: uris with certificate principals work correctly?
  • The principal is restored here. To verify this, load this data URL over any page and restart Firefox (resp. wait 10 seconds and crash it twice): data:text/html,<script>document.write(document.domain)</script>
• private browsing mode doesn't save session data at all. A crash in private browsing mode should restore to the point before going into private mode.
  • This happens in the Private Browsing service.
• can HTML/XUL be injected through a page's title into about:sessionrestore?
  • The titles are passed unescaped to a XUL tree through a dynamic implementation of its TreeView in aboutSessionRestore.js which should take care of it (this is what our documentation on trees seems to recommend).