Security/Reviews/Firefox4/FileAPI Security Review

From MozillaWiki
Jump to: navigation, search


Describe the goals and objectives of the feature here.

File API spec

Allows getting a url for a file. When loading from the url, it loads from the contents of a file.

Security and Privacy

  • What potential security issues in your feature have you already considered and addressed?

URL has a origin and is subject so same origin checks. If origin A generates a url, then origin B can't load from it. Additionally, there is no way for B to get the url unless A explicitly hands it a copy.

There is currently a bug that allows origin B to "revoke" a url that origin A has generated. But only if it somehow manages to guess the url.

  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.

That UUIDs can't be guessed (though there are extra layers of security). Possible bugs in how we get the origin for a given uri.

  • How are transitions in/out of Private Browsing mode handled?

No effects. Maybe there should be?

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)

url = window.createBlobURL(file); window.revokeBlobURL(url);

  • Does it change any existing interfaces?


Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)?


  • What data is read or parsed by this feature?
  • What is the output of this feature?
  • What storage formats are used?


  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?


  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

  • File a bug to kill the ability to revoke a cross-origin FileURL by name/url.