Security/Reviews/Firefox6/ReviewNotes/NPAPIAsyncDrawing

From MozillaWiki
Jump to: navigation, search

Date of Review: 2011.05.24

Items Reviewed:

Notes

  • plug-ins create buffers for use in drawing and tell browser which one should be used to draw to screen
    • old buffer unset as current in this case
    • 2 buffers usually, one current and one in background
    • plug-in can draw as needed
  • supplemental rather than replace or change, drawing is negotiated on a per instance basis with the browser

Issues:

Questions:

Is this the async plugin feature that's going to fix security bugs such as bug 552002 and bug 591409 ?

  • no, only used if plug-in vendor uses is thus this is not related to these bugs directly
  • will these be fixed if a plug-in vendor chooses to use the new model?
    • does not fix them, but the implementation presumes that the new model is immune to these issues
  • are we ever going to be able to fix these security bugs for plugins that don't switch to the new API? yes, bug 598425
  • this fixes our implementation-detail fix to the API level

Will this API be safe for untrusted, low-privilege plugins? Is this an API that happens entirely within the child process?

  • unknown as low privilege plug-in work has not been scoped
    • complete sandbox model would not work with this and appears unlikely
    • bitmap drawing model would work and seems more likely

Is this an API that happens entirely within the child process?

  • No this does not happen within the child, it communicates with the parent process

Does anything exciting happen when the plugin changes size?

  • buffers of plugin are drawn to size of plug-in area, plugin is responsible for changing size if needed
  • we send a size-change event to the plugin. until the plugin responds, we (crop? stretch?) when we paint :)
  • low chance of races

Actions: