Security/Reviews/Firefox6/ReviewNotes/NPAPIAsyncDrawing
Jump to navigation
Jump to search
Date of Review: 2011.05.24
Items Reviewed:
Notes
- plug-ins create buffers for use in drawing and tell browser which one should be used to draw to screen
- old buffer unset as current in this case
- 2 buffers usually, one current and one in background
- plug-in can draw as needed
- supplemental rather than replace or change, drawing is negotiated on a per instance basis with the browser
Issues:
Questions:
Is this the async plugin feature that's going to fix security bugs such as bug 552002 and bug 591409 ?
- no, only used if plug-in vendor uses is thus this is not related to these bugs directly
- will these be fixed if a plug-in vendor chooses to use the new model?
- does not fix them, but the implementation presumes that the new model is immune to these issues
- are we ever going to be able to fix these security bugs for plugins that don't switch to the new API? yes, bug 598425
- this fixes our implementation-detail fix to the API level
Will this API be safe for untrusted, low-privilege plugins? Is this an API that happens entirely within the child process?
- unknown as low privilege plug-in work has not been scoped
- complete sandbox model would not work with this and appears unlikely
- bitmap drawing model would work and seems more likely
Is this an API that happens entirely within the child process?
- No this does not happen within the child, it communicates with the parent process
Does anything exciting happen when the plugin changes size?
- buffers of plugin are drawn to size of plug-in area, plugin is responsible for changing size if needed
- we send a size-change event to the plugin. until the plugin responds, we (crop? stretch?) when we paint :)
- low chance of races