Security/Reviews/Firefox4/Web Console Security Review
- Background links
- Feature tracking bug link: bug 529086
Security and Privacy
- Is this feature a security feature? If it is, what security issues is it intended to resolve?
Not a security feature.
- What potential security issues in your feature have you already considered and addressed?
One minor issue that exists at the moment is that the console object has more enumerable properties than it should. This is fixed in coming patches that are likely to land in beta 8.
- Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
- Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
We assume that the execution in sandbox will only be able to access the current contentWindow's scope. The command line is part of browser chrome, so content should not be able to attack the user through the command line.
Users are capable of executing any content scripts and creating new objects via the command line interface, as well as inspecting any objects.
We use several different Observers that give the console access to all HTTP traffic and errors that are reported
Potential risks might include any future issues with wrapped objects not doing the "right thing", mainly window objects, network requests, loadGroups.
The new console object uses a new mechanism (nsIDOMGlobalPropertyInitializer) that allows all of its properties to be lazily initialized. Given that the console object is accessible to web content, it is the riskiest part of the feature.
- How are transitions in/out of Private Browsing mode handled?
No special handling of Private Browsing. The console data is thrown away when the tab is closed.
- Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
- Does it interoperate with a web service? How will it do so?
- Explain the significant file formats, names, syntax, and semantics.
The Web Console uses no files.
- Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
The console API is the only supported interface, and the 4 functions we export are part of the de facto standard.
- Does it change any existing interfaces?
The window object now has the "console" object available on it.
- What other modules are used (REQUIRES in the makefile, interfaces)?
- Services.jsm: strings, prefs, io, wm, ww, obs, console, appinfo
- What data is read or parsed by this feature?
Network I/O is observed and formatted for display.
- What is the output of this feature?
Network request/response information and script/css error logging, plus output of user script logging calls.
- What storage formats are used?
- What failure modes or decision points are presented to the user?
If a website has created its own console object, a console message is displayed telling the user that the built-in console API will be non-functional
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
via a UI. The console has checkboxes that turn on and off certain kinds of logging for the current contentWindow. The preferences service only knows about the global default settings, which are not manipulated via the UI.
- Are there build options for developers? [#ifdefs, ac_add_options, etc.]
- What ranges for the tunable are appropriate? How are they determined?
- What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
Relationships to other projects
- Are there related projects in the community?
- If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
Firebug may want to consider using the console object we provide to the window object, since it is automatic and lazily generated. All Firebug will need to do is create an observer to get the ConsoleAPI messages.
- Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
- Inspect Network Request panel
- we do seem to encode/escape data
- use <browser type="content> to reduce privilege
- except chrome:// is still privileged
- switch to a resource: template maybe?
- or maybe a special about: page (unprivileged, of course)
- create from scratch into a data: or about:blank document?
- bug 602198 (please fill in)
- Console lines are text nodes added -- should get proper escaping.
- console filter is done by XPath (but entered by user anyway)
- command-line is executed by evalInSandbox()
- does this break on a CSP-using page that disabled eval()?
- seems to work OK
- similar concerns to the network panel
- currently not caching data, but when we are it should be purged when going into/out of Private Browsing mode. bug 602199