Security/Reviews/Firefox4/Web Console Security Review

From MozillaWiki
Jump to: navigation, search


The Web Console aims to provide an always-available webpage debugging tool. It allows the user to view logging output generated when the page is loaded and when the user interacts with JavaScript. It also provides a "JavaScript command line" so that the user can interact with the page. Additionally, it adds the de facto standard `console` object to Firefox to avoid breaking on sites that assume a console object is present.

Background links

Security and Privacy

  • Is this feature a security feature? If it is, what security issues is it intended to resolve?

Not a security feature.

  • What potential security issues in your feature have you already considered and addressed?

For the JavaScript command line, we use Cu.evalInSandbox(), using the current contentWindow as the execution scope. mrbkap has taken a cursory look at our implementation of this part of the Web Console feature.

One minor issue that exists at the moment is that the console object has more enumerable properties than it should. This is fixed in coming patches that are likely to land in beta 8.

  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?


  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.

We assume that the execution in sandbox will only be able to access the current contentWindow's scope. The command line is part of browser chrome, so content should not be able to attack the user through the command line.

Users are capable of executing any content scripts and creating new objects via the command line interface, as well as inspecting any objects.

We use several different Observers that give the console access to all HTTP traffic and errors that are reported

Potential risks might include any future issues with wrapped objects not doing the "right thing", mainly window objects, network requests, loadGroups.

The new console object uses a new mechanism (nsIDOMGlobalPropertyInitializer) that allows all of its properties to be lazily initialized. Given that the console object is accessible to web content, it is the riskiest part of the feature.

  • How are transitions in/out of Private Browsing mode handled?

No special handling of Private Browsing. The console data is thrown away when the tab is closed.

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
  • window.console.log
  • window.console.warn
  • window.console.error
  • Does it interoperate with a web service? How will it do so?


  • Explain the significant file formats, names, syntax, and semantics.

The Web Console uses no files.

  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?

The console API is the only supported interface, and the 4 functions we export are part of the de facto standard.

  • Does it change any existing interfaces?

The window object now has the "console" object available on it.

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)?
  • nsIScriptError
  • nsIHttpActivityDistributor
  • nsIStyleSheetService
  • NetUtil.jsm
  • Services.jsm: strings, prefs, io, wm, ww, obs, console, appinfo
  • XPCOMUtils.jsm


  • What data is read or parsed by this feature?

Network I/O is observed and formatted for display.

  • What is the output of this feature?

Network request/response information and script/css error logging, plus output of user script logging calls.

  • What storage formats are used?



  • What failure modes or decision points are presented to the user?

If a website has created its own console object, a console message is displayed telling the user that the built-in console API will be non-functional

  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?



  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?

via a UI. The console has checkboxes that turn on and off certain kinds of logging for the current contentWindow. The preferences service only knows about the global default settings, which are not manipulated via the UI.

  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]


  • What ranges for the tunable are appropriate? How are they determined?


  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?


Relationships to other projects

  • Are there related projects in the community?

Yes. Firebug

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?

Firebug may want to consider using the console object we provide to the window object, since it is automatic and lazily generated. All Firebug will need to do is create an observer to get the ConsoleAPI messages.

  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?


Review comments

  • Inspect Network Request panel
    • we do seem to encode/escape data
    • use <browser type="content> to reduce privilege
      • except chrome:// is still privileged
      • switch to a resource: template maybe?
      • or maybe a special about: page (unprivileged, of course)
      • create from scratch into a data: or about:blank document?
    • disable javascript and plugins on the docshell
    • bug 602198 (please fill in)
  • Console lines are text nodes added -- should get proper escaping.
  • console filter is done by XPath (but entered by user anyway)
  • command-line is executed by evalInSandbox()
  • does this break on a CSP-using page that disabled eval()?
    • seems to work OK
  • javascript evaluation results are clickable -- get an inspect panel
    • similar concerns to the network panel
  • currently not caching data, but when we are it should be purged when going into/out of Private Browsing mode. bug 602199