Responsive Design Security Review

Overview

People browse the web with an enormous variety of devices and screen sizes today.

The Responsive Design View allows developers to quickly emulate different screen sizes to see how their designs react to the change.

Architecture

This feature is entirely self contained within Firefox and does not interact with any remote services.

It does not use any 3rd party components.

Data Flow Enumeration

Very little data is processed by the code.

User input is limited to:

• One pulldown - to select preset window sizes
• One button - to rotate the axis
• Three resizing window controls

Threat Analysis

This is a small well constrained development which has a very small attack surface area.

It does not accept any text which could be used be used for XSS attack vectors.

The implementation is based around existing resizing functionality as so introduces very little extra code.

There is a minor issue whereby a web page could determine that Responsive Mode was in use by detecting significant changes in the window size via the window.onresize event. A user manually resizing a window will generate multiple events with relatively small changes in size, while the Responsive Mode will cause much larger jumps in size. Note that other 'resizing' Firefox extensions will also exhibit this behavior.

Links

• https://wiki.mozilla.org/DevTools/Features/ResponsiveView
• https://bugzilla.mozilla.org/show_bug.cgi?id=755953 - sec review
• https://bugzilla.mozilla.org/show_bug.cgi?id=749628 - dev
• https://bugzilla.mozilla.org/show_bug.cgi?id=751910 - ui review
• https://bug749628.bugzilla.mozilla.org/attachment.cgi?id=619038 - screenshot