Security/Reviews/Firefox4/about:home Security Review
From MozillaWiki
Overview
Replace the current remotely hosted Start Page with a local hosted one. This avoids network access on start, making it faster, allows to customize the page easily and to add better custom snippets to it. Can be more easily expanded in future.
- Background links
Threats
- Remote injection of code in the page for privileges escalation
- Potential for cross-domain attacks (snippet on snippet?) [Lucas]
- Local data theft attacks (if remote snippets are executed in local file context) [Lucas]
What mitigations have you implemented?
- The implemented about: page has content privileges, any data needed from chrome is passed through a localstorage store in a completely asynchronous way, so there is no way for content to call privileged code or access any not provided data
Topics To Discuss During The Review
- Does the feature expose information that could strengthen fingerprinting?
- The page can read snippets of html from a remote source, but does not pass any kind of personal data so far. There is a request in bug 593379 to add some generic stats data that are generic enough to not expose interesting details.
- Does the feature cache or store data that could strengthen super-cookies?
- No cookies are requested or sent
- How are transitions in/out of Private Browsing mode handled?
- The page has same access to its data regardless PB, there are no personal data retained
- What data is read or parsed by this feature?
- So far, default search engine from search service and the value of the snippets server url for Mozilla snippets updates. bug 593379 could add more data.
- What is the output of this feature?
- An unprivileged about: page
- What storage formats are used?
- localstorage/DOMStorage has a special store for about: pages in chromeappsstore.sqlite
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- This is managed by Storage and DOMStorage, as the usual localstorage feature
- Can the end user configure settings (via UI, about:config, or environment variables)?
- The only settable preference is the update server for snippets
- Are there build options for developers (e.g. #ifdefs, ac_add_options)
- No
- What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
- Search engine data is maintained by search service, snippets live on Mozilla server, and will have to be updated, based on marketing needs
- Does it interoperate with a web service?
- Mozilla snippets server sends a chunk of xhtml code, that we inject through innerHTML
Review comments
- snippet URL in product/pref needs to be SSL bug 627926
- about:home itself should reject any URL not "https://"
- overkill: idea was to protect against stupid redistributors, but a comment in the preference file and code should be sufficient
- make sure domain is *.mozilla.org also?
- if so need an "out" for non-Firefox products.
- no, bad idea. Would need an override anyway so no point
- about:home itself should reject any URL not "https://"
- snippet contents on SERVER needs to be https-only
- snippets are directly injected into the page
- each new snippet update needs a security review
- definitely plan to include scripts -- must be in-line or over SSL
- page does not manage snippets. If multiple snippets are downloaded the snippet itself includes scripts to manage which one is shown.
- If we include http content (esp script) there's a risk of MITM. The snippet can then
- change monetization of search URL
- change localStorage['snippets-update-url'] to attackers site (data? further changes?)
- convince user to download/install bad stuff (spoofing Mozilla)