WebExtensions/Review

This page presents some preliminary thoughts on the review model for WebExtensions. We should ensure that it informs the design of future WebExtension permissions and APIs.

Relevant documentation

• Permissions
• Permissions warnings
• Programmatic content script injection
• Cross-origin requests
• activeTab permission

Threats/problems

Malicious add-ons:

• Ad injection.
• Tracking pages visited.
• Undesirable changes to browser UI that are hard to revert (default search engine, new tab page, unwanted toolbar).

Poorly coded add-ons that can cause problems:

• Privilege escalation from content pages (the sort of stuff wrappers defend against).
• Slowing down your browser (by injecting slow content scripts with mousemove handlers or mutation observers).

Additional problems:

• Overly broad permissions for extensions. The article doesn't mention the activeTab permission, which should mitigate some of these issues.

• Good extensions sold to bad actors and turned into malware.

Possible review model

Extension manifests should contain a concise overview of everything that's relevant for review. The manifest should always be reviewed by a person based on what the add-on is designed to do.

I think we should have a rule that extensions requesting a permission they don't need will be rejected.

The broader the permission, the more need there is for manual review. A list of permissions and how common they are can be found in Table 1 of Heule et al. Extension authors will naturally want to minimize their permissions to speed up reviews.

Classes of add-ons

I think we should figure out how to set permissions for each class of add-on so that it doesn't ask for anything overly broad.

• Content/ad blockers
• Password managers
• Page-specific Greasemonkey-type scripts (including things like Reddit Enhancement Suite)
• Non-page-specific content modification (e.g., Google translate)
• UI-only add-ons (Vertical Tabs, Colorful Tabs)
• Video downloaders
• Toolbars
• "Antivirus" add-ons
• Developer tools

Decisions

• How much risk are we willing to tolerate? If an add-on injects a script into a page that it's designed to touch (Pinterest add-on on pinterest.com), do we need to review the code for the content script manually? It could still inject ads or track the user's activity on Pinterest.

Question: Can we limit the ways that a malicious content script can get data out? We can restrict the way it uses XHRs. What about loads that it triggers by adding elements to the document?

• How do we explain to users the permissions that an extension is asking for? I'm not sure how useful this even is. Permissions are hard to explain. I'd rather have them examined by a team of experts.

• What will we look for during automated review?
• What will manual reviewers do?

Additional resources

• http://stefanheule.com/papers/hotos15-extsec.pdf
• http://cs.ucsb.edu/~kapravel/publications/sp2015_adinjection.pdf