Firefox 3.6/Personas Uplift Security Review
Describe the goals and objectives of the feature here.
- Background links
- feature-tracking bug links
- specs or design docs
Security and Privacy
- What potential security issues in your feature have you already considered and addressed?
- We don't verify that the files stored as $PROFILE_FOLDER/lightweighttheme-header and $PROFILE_FOLDER/lightweighttheme-footer are in fact images.
- Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
- The xpinstall whitelist is re-used, since the capability it's associated with is "Install Extensions or Themes", where lightweight themes fit in. getpersonas.com is by default whitelisted.
The browser accepts these events from content: InstallBrowserTheme, PreviewBrowserTheme, ResetBrowserThemePreview. InstallBrowserTheme requires the event target to have a data-browsertheme attribute which contains a JSON string.
The decoded object must contain: "id", "name", "headerURL". It may contain: "footerURL", "textcolor", "accentcolor", "iconURL", "previewURL", "author", "description", "homepageURL". All values must be strings. Keys ending with "URL" must be absolute URLs or URLs relative to the event target's baseURI. Invalid URLs and URLs that don't start with https?: are dropped. Empty strings are dropped.
The InstallBrowserTheme causes the theme to be installed if the site is on the xpinstall whitelist and raises a notification bar otherwise. The PreviewBrowserTheme and ResetBrowserThemePreview events are allowed for whitelisted sites only. Previews are reset automatically after 30 seconds, in case the ResetBrowserThemePreview event won't be dispatched.
- What data is read or parsed by this feature?
- the data-browsertheme attribute is read from content and parsed using JSON.parse
- What storage formats are used?
- prefs (boolean & JSON strings) and actual files: $PROFILE_FOLDER/lightweighttheme-header, $PROFILE_FOLDER/lightweighttheme-footer
- What failure modes or decision points are presented to the user?
- When the InstallBrowserTheme event is dispatched on a content node, a notification bar appears, saying that this site (the location.host of the node's ownerDocument) attempted to install a theme. There's an "Allow" button. Not approved for 1.9.2 yet: When a theme has been installed, another notifcation bar confirms that a theme has been installed, allowing the user to undo this or manage themes (open the add-ons manager's themes pane).
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- We depend on nsIWebBrowserPersist.saveURI when it comes to storing the header and footer images.
Relationships to other projects
Are there related projects in the community?
- If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
- Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
- The xpinstall whitelist should not used for this new feature. Instead, a new whitelist should be used. See bug 522522.
- what parts of the browser can personas modify?
- only the main window, and then only backgrounds
- should animated images be disallowed?
- jesse's concern: after an hour, image animates to show something that looks like a message from firefox
- since it's only the background and not clickable, it probably wouldn't be too convincing
- could we make animated personas go through a review process for inclusion on getpersonas.com, at least?
- when you install a persona, is the image stored forever, or do we hit the server sometimes (e.g. for updates or falling out of the cache)?
- what are the privacy and MITM implications?
- does leaving the page while a preview is active always reset the preview?
- only allow permanently applying a theme at times when popups are allowed (e.g. on click)?
- Review guidelines for personas are changing, defined later.
- images are limited to JPG and PNG on the personas site (using Image Magic to check the formats).
- the client itself doesn't check.
- client stores the images, but will check for updates.
- When a site installs a persona we bring up an info bar with an undo button
- Undo button is not much of a security measure, since it is likely to go away if the site causes the page to navigate, causes the tab to be closed, or makes Firefox crash.
- Sites can be unwhitelisted in site prefs
- unwhitelisted sites get an "allow once" infobar if they try to install a persona
- unwhitelisted sites cannot preview a persona
- update checks should obey the addon update check pref
- urls for themes are restricted to http/https