SecurityEngineering/Removing Proprietary window.crypto Functions

From MozillaWiki
Jump to: navigation, search

Removing Proprietary window.crypto Functions and Properties

The following announcement was sent to and dev.platform on 26 June 2014:
(!topic/ )

[dev.platform cc'd for visibility - please follow-up to]

Summary: We intend to remove the proprietary window.crypto functions and properties. See for what will be affected by this change. Our reasoning is as follows: These functions have never been (and never will be) standardized. The implementation has near-nonexistent test coverage. What few tests exist were written as a result of finding easily-encountered bugs years after the original implementation landed[0][1][2]. As it is exposed to web content, it represents a considerable attack surface. It is not well-maintained. It is incompatible with our process-separation and sandboxing efforts. It is not supported or enabled on Firefox OS. Meanwhile, we are making progress on implementing the webcrypto specification[3]. When complete, webcrypto should provide compatible functionality for what these functions are currently being used to do. Any functionality not implementable using webcrypto is available to addons (see the interfaces in security/manager/ssl/public).

Note: this does not include window.crypto.subtle or window.crypto.getRandomValues, which are part of webcrypto and do not need to be removed.


Spec: n/a

Platform coverage: desktop, android

Target release: 33

Pref: n/a


Table of Removals and Replacements

Property or Function Replacement
window.crypto.version n/a
window.crypto.enableSmartCardEvents addon (register an observer of the topics "smartcard-insert" and "smartcard-remove")
window.crypto.generateCRMFRequest <keygen> or webcrypto
window.crypto.importUserCertificates save/import file via certificate manager
window.crypto.signText webcrypto and/or addon (e.g. signTextJS)
all other window.crypto functions that are currently unimplemented n/a

(Note that this does not include window.crypto.getRandomValues)