Security/Reviews/Firefox4/App Tabs Security Review
Security Review Pre-Work
Please fill our the short section below prior to the review, and make sure you contact firstname.lastname@example.org to schedule your actual review.
We wanted to make sticky tabs that were the same in every window and persisted between sessions. We didn't get the "same in every window" feature done, so they are merely "pinned tabs" which will persist between sessions.
- Background links
Please list the top 3 security threats you have considered during the design and implementation of this feature. Consider attack points as well as code that feels fragile.
I (zpao) only did some of the followup work and have had to deal with app tabs in session restore. I haven't encountered any security threats while doing this work.
What mitigations have you implemented?
Topics To Discuss During The Review
- Does the feature cache or store data that could strengthen super-cookies?
Since app tabs persist, their session cookies do too (for the current page anyway). App tabs follow the browser.sessionstore.privacy_level pref.
- How are transitions in/out of Private Browsing mode handled?
App tabs are removed & restored just like normal tabs.
- How is "Clear Recent History" handled?
App tabs are treated just like normal tabs here.
Notes and bug numbers will be recorded here. Let's try not to spend too much time on any one topic during the meeting.
- simple host check on link clicks to determine target.
- window.location = not guaranteed to stay in "app"
- only link target is checked, it can redirect
- search site app-tabs navigate to random sites when clicking link (at least Google; some might have a different-host redirector)
- links opened in new tab might be able to navigate app-tab opener