Security/Reviews/Firefox4/AddonUI Security Review
From MozillaWiki
Contents
Security Review Pre-Work
Please fill our the short section below prior to the review, and make sure you contact security@mozilla.org to schedule your actual review.
Overview
The add-on bar is a toolbar at the bottom of the browser, where the statusbar used to be. It is a place for add-ons to insert their UI. The toolbar is a typical XUL toolbar. The only addition from an API perspective was a change to the toolbar customization code to allow customizing a toolbar outside of the navigation toolbox.
- Background links
Threats
For the most part, the add-on bar uses age-old, well-known APIs in Firefox. Possible threats could involve:
- It allows add-ons to put items on a toolbar.
- It allows web content inside chrome widgets.
- The web widgets are customizable via the toolbar palette.
Topics To Discuss During The Review
- How do add-ons get widgets onto the bar
- What content is allowed in add-on widgets
- Can widget content be remote
- Can chrome listen to content events
- Do widgets respond to chrome events
- Do widget events cross into chrome
Review comments
- addons bar spoofing: file bug for add-on reviewers to look out for statusbar spoofing - dietrich emailed jorge to see how best to get this in front of add-on reviewer's eyes.