From MozillaWiki
Jump to: navigation, search
Items to be reviewed

Add-on Sync

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • sync add-ons between sync enabled devices
    • xpi extensions and themes from AMO in profile directory for initial version
  • in JS in sync, running as chrome priv
  • diff devices with diff ver of FX
    • tries to install
    • no explicit UX for any part of this - the user is not prompted
  • later to support all add-ons, out of scope for this review
  • this will apply to all add-ons, fully reviewed and partially reviewed
  • this sync feature does not sync across devices (desktop -> mobile)
    • later addition
  • sync of add-on state (local resources, prefs, etc) is not in initial feature
    • sync of add-on "enabled" state does get synced.
    • just the add-on ID and meta data (client ID, platform ID, etc) -> add-ons mgr API -> gets xpi from AMO
      • add-on version isn't synced
  • there's a sync preference / check box to opt out of this

What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

Any security threats already considered in the design and why?=

(from feature page )

  • The feature follows the same security model as other sync engines: add-on records are encrypted using the Sync Key and the IDs for each add-on are randomly generated.
  • For the initial feature drop, synchronized add-ons will be limited to:
    • XPI extensions or themes
    • from the same application ID as other Sync profiles
    • installed in the profile directory
    • installed explicitly by the user (those put in the profile directory by nefarious applications will be ignored - !addon.foreignInstall)
    • installed from
      • In the implementation, the hostname is defined by a preference. the default value is **
  • This is the first component of Sync which will indirectly communicate with a non-Sync server ( Sync will be talking with it via the AddonRepository JS APIs (over HTTPS) Sync assumes those APIs are doing the proper things to secure against MITM attacks, etc.

Threat Brainstorming

  • Attacker with access to your sync account could silently push malicious add-ons to your sync clients
    • is this a sync problem or a problem for this feature?
      • a problem introduced by the feature. Before this feature, an attacker could only push bookmarks/history to your sync devices.
  • Privacy: AMO (or in future, other download sites) can track you across installs
    • Ok for AMO if you are logged in, but also not an issue since we already know this via sync service
    • Communication via HTTPS too (super double bonus)
    • no extra "cert property" checks (true of addon updates as well)
  • new sync engine will not require storage version bump.

Conclusions / Action Items

  • [mossop] check whether experimental addons would also be sync'd. We don't want them to be, only reviewed add-ons should be allowed.
  • continue looking at ways to protect the sync account and give users more information about their sync account
    • out of scope for this feature