Labs/Jetpack/JEP/37
|
THIS PAGE IS A WORKING DRAFT | 
|
| The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page. |
Introduction
This document describes a simple framework that allows untrusted code and its associated resources to be executed in accordance with the principle of least authority.
The reference implementation for this framework is called jpx.
Philosophy
Currently, a major disadvantage of the Mozilla extension platform is that, because add-ons have as much authority as Firefox itself, it's very easy for a novice addon developer to accidentally expose the end user's system to privilege escalation attacks by remote web pages.
This proposal attempts to resolve the above problem by effectively enclosing an addon in a sandbox and providing it with only the capabilities it needs to complete its task. This minimizes the amount of contact between chrome and content, which reduces the surface area for potential attack while constructing a secure, generative platform for addon developers to build on.
The available spectrum of capabilities are not intended to be dictated to addon developers by some higher authority: rather, they can be written by anyone who understands the platform that lies at the core of Mozilla products and possesses the ability to write secure code for it. In other words, the framework described in this document is intended merely to provide the tools the Mozilla community needs to create a safe platform for itself.
Specification
Jetpacks
In the context of this document, a jetpack is a collection of code and metadata about the code. The code, if executed, is run in a sandbox in accordance with the principle of least authority.
A capability is an object in a JavaScript sandbox that endows code with the ability to do something it is otherwise incapable of doing: e.g. accessing a file, the network, a user password, and so forth.
The jetpack's metadata is called a manifest and can be expressed as a JSON object. It has the following keys:
- name - a string specifying the name of the jetpack.
- capabilities - an object containing information about the capabilities the jetpack needs access to in order to function properly. Each property in the object specifies the name of a required capability, and each value specifies optional parameters that can further attenuate the capability.
Capability Factories
A capability factory is an object that is capable of:
- creating a capability object which is accessible from a jetpack sandbox, optionally attenuated as per certain parameters expressed as a JSON object, and
- describing what the capability does in terms that a reasonably technical end-user can understand.
Following are the methods any capability factory must implement.
describe(params)
Return a string describing what the capability provides, possibly attenuated as per the given optional JSON object parameter. This string may be shown to technical reviewers or adventurous end-users who obtain an add-on from an untrusted site, and can be used to help someone subjectively determine how much risk an addon presents to their system.
If the value of params is invalid for some reason, this method should return null.
create(params)
Create and return a capability attenuated as per the given optional JSON object parameter.
For security purposes, any non-primitive, non-function object returned directly or indirectly by create() should contain metadata that contains an __exposedProps__ property as defined by the Chrome Object Wrapper specification. Otherwise, an exception will be thrown.
If the value of params is invalid for some reason, this method should return null.
