Security/Reviews/Firefox4/AddonUI Security Review

From MozillaWiki
Jump to: navigation, search

Security Review Pre-Work

Please fill our the short section below prior to the review, and make sure you contact to schedule your actual review.


The add-on bar is a toolbar at the bottom of the browser, where the statusbar used to be. It is a place for add-ons to insert their UI. The toolbar is a typical XUL toolbar. The only addition from an API perspective was a change to the toolbar customization code to allow customizing a toolbar outside of the navigation toolbox.

Background links


For the most part, the add-on bar uses age-old, well-known APIs in Firefox. Possible threats could involve:

  • It allows add-ons to put items on a toolbar.
  • It allows web content inside chrome widgets.
  • The web widgets are customizable via the toolbar palette.

Topics To Discuss During The Review

  • How do add-ons get widgets onto the bar
  • What content is allowed in add-on widgets
  • Can widget content be remote
  • Can chrome listen to content events
  • Do widgets respond to chrome events
  • Do widget events cross into chrome

Review comments

  • addons bar spoofing: file bug for add-on reviewers to look out for statusbar spoofing - dietrich emailed jorge to see how best to get this in front of add-on reviewer's eyes.