Security/Reviews/Firefox4/Desktop Notifications Security Review

From MozillaWiki
Jump to: navigation, search

dougt will update...


Notificatations APIs are responsible for managing notifications from web applications, and showing them on the user's desktop.

Background links

Security and Privacy

  • Is this feature a security feature? If it is, what security issues is it intended to resolve?
  • What potential security issues in your feature have you already considered and addressed?
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • How are transitions in/out of Private Browsing mode handled?

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
  • Does it interoperate with a web service? How will it do so?
  • Explain the significant file formats, names, syntax, and semantics.
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
  • Does it change any existing interfaces?

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)?


  • What data is read or parsed by this feature?
  • What is the output of this feature?
  • What storage formats are used?


  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?


  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

  • What happens with the image URLs?
    • sometimes we load and create the image
    • sometimes we pass the URL
    • best to restrict to http/https, definitely a whitelist of some sort
      • if data: is allowed create as <IMG>
      • filed bug xxxxx
  • sites can send a different image with each request?
    • lots of spoofing possibilities
  • If there's no callback, clicking on notification does nothing.
  • If there's a callback function it gets called.
    • can call focus(), not sure that will actually raise the window
  • What format are the messages? "text"?
    • what's the risk that some platform will parse/render HTML?
    • should we sanitize proactively just in case?
  • brainstorm on how to tie site notifications back to the site you gave permission to
    • domain (eTLD+1?) prefix on title?
    • fixed icon (same as first call)
      • Android notifications always use the Fennec icon
    • Fixed text pattern? (e.g. "Tweet from *")
  • how do you cancel permission for an overly-talkative (or even abusive) site?
  • need a global off switch (presentation mode?)
  • doesn't save settings in Private Browsing mode (correct)