Security/Reviews/Firefox10/CSS3DTransforms
From MozillaWiki
- Items to be reviewed
CSS3 3D Transforms
- Feature Page: https://wiki.mozilla.org/CSS3_3D_Transforms
- Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=505115
- Spec: http://dev.w3.org/csswg/css3-3d-transforms/
Introduce Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- extends CSS transforms with new keywords to transform any CSS into a 3D perspective
- this uses the 3D features of the graphics card, most of this already done in the graphics area so this just extended into that
What solutions/approaches were considered other than the proposed solution?
Why was this solution chosen?
- proposed CSS standard
Any security threats already considered in the design and why?
- N/A
Threat Brainstorming
- interaction with graphics card, support, crashes (QA perspective)
- this is nothing we did not already have with layout
- consider fuzzing on a wider variety of graphics cards/drivers. but this is most likely to find graphics card bugs (in which case we'd blacklist) rather than firefox/cairo bugs, and it's probably not worth the effort.
- <discussion of Jesse's fuzzing techniques>
- seems to indicate that he is using the correct path
- Does the 3D transform code use a different path compared to 2D when page is navigated
- No, there shouldn't be a residual image in graphics framebuffer
- Since this is a proposed spec is it prefixed or pref-ed off by default?
- prefixed with -moz-
- we have a pref for now, default to enabled, and will probably remove it in a few releases
- preffing it off is likely to break sites, because they'll detect support and try to use the non-working CSS properties. so preffing off the feature isn't a great mitigation to have.
- Site compat bug: https://bugzilla.mozilla.org/show_bug.cgi?id=682627
Conclusions / Action Items
- [Jesse] continue fuzzing, general CSS fuzzing