Security/Reviews/Firefox4/Desktop Notifications Security Review

From MozillaWiki
Jump to navigation Jump to search

dougt will update...

Overview

Notificatations APIs are responsible for managing notifications from web applications, and showing them on the user's desktop.

Background links

Security and Privacy

  • Is this feature a security feature? If it is, what security issues is it intended to resolve?
  • What potential security issues in your feature have you already considered and addressed?
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • How are transitions in/out of Private Browsing mode handled?

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
  • Does it interoperate with a web service? How will it do so?
  • Explain the significant file formats, names, syntax, and semantics.
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
  • Does it change any existing interfaces?

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)?

Data

  • What data is read or parsed by this feature?
  • What is the output of this feature?
  • What storage formats are used?

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

  • What happens with the image URLs?
    • sometimes we load and create the image
    • sometimes we pass the URL
    • best to restrict to http/https, definitely a whitelist of some sort
      • if data: is allowed create as <IMG>
      • filed bug xxxxx
  • sites can send a different image with each request?
    • lots of spoofing possibilities
  • If there's no callback, clicking on notification does nothing.
  • If there's a callback function it gets called.
    • can call focus(), not sure that will actually raise the window
  • What format are the messages? "text"?
    • what's the risk that some platform will parse/render HTML?
    • should we sanitize proactively just in case?
  • brainstorm on how to tie site notifications back to the site you gave permission to
    • domain (eTLD+1?) prefix on title?
    • fixed icon (same as first call)
      • Android notifications always use the Fennec icon
    • Fixed text pattern? (e.g. "Tweet from *")
  • how do you cancel permission for an overly-talkative (or even abusive) site?
  • need a global off switch (presentation mode?)
  • doesn't save settings in Private Browsing mode (correct)
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Firefox4/Desktop_Notifications_Security_Review&oldid=261574"