Labs/Jetpack/JEP/37

From MozillaWiki
< Labs‎ | Jetpack‎ | JEP
Revision as of 23:28, 15 December 2009 by Varmaa (talk | contribs) (added philosophy and specification sections)
Jump to navigation Jump to search
Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

Introduction

This document describes a simple framework that allows untrusted code and its associated resources to be executed in accordance with the principle of least authority.

The reference implementation for this framework is called jpx.

Philosophy

The goal of this framework is to enable Mozilla community members to leverage the strengths of the Mozilla platform without placing end-users at undue risk. Currently, one major disadvantage of the extension platform is that, because add-ons have as much authority as Firefox itself, it's very easy for a novice addon developer to accidentally expose the end user's system to privilege escalation attacks by remote web pages.

The most straightforward way to understand the framework described here is as a privilege separation mechanism: content-space extension code effectively uses chrome-privileged objects called capabilities provided by trusted capability factories to accomplish what they need to do, asking for the absolute minimum number of capabilities possible. The less authority the addon needs, the faster it will pass through review queues at trusted sites like AMO, and the less risk an end-user is exposed to if the addon is compromised.

Capability factories are intended to be written by anyone who understands the platform that lies at the core of Mozilla products and possesses the ability to write secure code for it. Capabilities are intended to minimize the amount of contact between chrome and content, which reduces the surface area for potential attack while constructing a secure, generative platform for addon developers to build on.

Specification

Jetpacks

In the context of this document, a jetpack is a collection of code and metadata about the code. The code, if executed, is run in a sandbox in accordance with the principle of least authority.

A capability is an object in a JavaScript sandbox that endows code with the ability to do something it is incapable of doing by any other means at its disposal: accessing a file, the network, a user password, and so forth.

The jetpack's metadata is called a manifest and can be expressed as a JSON object. It has the following keys:

  • name - a string specifying the name of the jetpack.
  • capabilities - an object containing information about the capabilities the jetpack needs access to in order to function properly. Each property in the object specifies the name of a required capability, and each value specifies optional parameters that can further attenuate the capability.

Capability Factories

A capability factory is an object that is capable of:

  1. creating a capability object which is accessible from a jetpack sandbox, optionally attenuated as per certain parameters expressed as a JSON object, and
  2. describing what the capability does in terms that a reasonably technical end-user can understand.

Usage

Retrieved from "https://wiki.mozilla.org/index.php?title=Labs/Jetpack/JEP/37&oldid=189625"