Security/Reviews/PluginOverlayAPI

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Plugin Overlay API
Target * http://mozilla.github.com/shumway/

Review Bug:

Full Query
ID Summary Priority Status
776208 Provide API for JavaScript extensions to create native plugins previews for specific mime type -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

The given value "* http://mozilla.github.com/shumway/

Review Bug:

Full Query
ID Summary Priority Status
776208 Provide API for JavaScript extensions to create native plugins previews for specific mime type -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins.

This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox

Notes

Shumway will call registerPlayPreviewMimeType

When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element.

What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource.

This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something.

pilot shumway extension

iframe box testing

What solutions/approaches were considered other than the proposed solution?

Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need:

  1. add entries to the window.navigator.plugins (with the same name, descript, version and mime type as flash);
  2. intercept/forward all <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"> instantiations;
  3. and, suppress the plugins priority for the document loader factory.

Why was this solution chosen?

Less intervention into existing plugin loading base (nsObjectLoadingContent)

Any security threats already considered in the design and why?

`

Threat Brainstorming

  • iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?
  • preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up
  • Property "SecReview feature goal" (as page type) with input value "To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins.

    This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox

    Notes

    Shumway will call registerPlayPreviewMimeType

    When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element.

    What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource.

    This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something.

    pilot shumway extension

    [http://pastebin.mozilla.org/1735309 iframe box testing" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview alt solutions" (as page type) with input value "Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need:
    1. add entries to the window.navigator.plugins (with the same name, descript, version and mime type as flash);
    2. intercept/forward all instantiations;
    3. and, suppress the plugins priority for the document loader factory." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    4. Property "SecReview threat brainstorming" (as page type) with input value "* iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?
    • preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
Who bug Action By When Completed date

[NEW] new [DONE] Done [MISSED] Miss

Jethro Arrange secreview for shumway Coincide with / follow shortly "rough alpha" ( suggest making secreview bug now, updating with time as appropriate) [DONE] : bug 780311
Yury Remove preview iFrame (cleanup)
Dan / Ian / Mark / David Investigate alternatives for null principal for resolving iFrame security issues 13th - 18th August

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

The given value "

Who bug Action By When Completed date [NEW] new [DONE] Done [MISSED] Miss


Jethro

Arrange secreview for shumway Coincide with / follow shortly "rough alpha" ( suggest making secreview bug now, updating with time as appropriate) [DONE] : bug 780311


Yury

Remove preview iFrame (cleanup)



Dan / Ian / Mark / David

Investigate alternatives for null principal for resolving iFrame security issues 13th - 18th August



No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.