Security Review Pre-Work

Please fill our the short section below prior to the review, and make sure you contact security@mozilla.org to schedule your actual review.

Overview

The add-on bar is a toolbar at the bottom of the browser, where the statusbar used to be. It is a place for add-ons to insert their UI. The toolbar is a typical XUL toolbar. The only addition from an API perspective was a change to the toolbar customization code to allow customizing a toolbar outside of the navigation toolbox.

Background links

• bug 574688 - main bug
• https://developer.mozilla.org/en/The_add-on_bar
  

Threats

For the most part, the add-on bar uses age-old, well-known APIs in Firefox. Possible threats could involve:

• It allows add-ons to put items on a toolbar.
• It allows web content inside chrome widgets.
• The web widgets are customizable via the toolbar palette.

Topics To Discuss During The Review

• How do add-ons get widgets onto the bar
• What content is allowed in add-on widgets
• Can widget content be remote
• Can chrome listen to content events
• Do widgets respond to chrome events
• Do widget events cross into chrome

Review comments

• addons bar spoofing: file bug for add-on reviewers to look out for statusbar spoofing - dietrich emailed jorge to see how best to get this in front of add-on reviewer's eyes.