canmove, Confirmed users
1,568
edits
Extension Manager:Security Review: Difference between revisions
Jump to navigation
Jump to search
Extension Manager:Security Review (view source)
Revision as of 09:47, 22 October 2007
, 22 October 2007no edit summary
No edit summary |
|||
| Line 24: | Line 24: | ||
== Use Cases == | == Use Cases == | ||
''Describe the primary use cases for the feature here.'' | ''Describe the primary use cases for the feature here.'' | ||
* Installing new add-ons | |||
* Configuring add-ons | |||
* Enabling/Disabling/Uninstalling existing add-ons | |||
== Requirements == | == Requirements == | ||
''List functional and non-functional requirements for the feature here, with links back to any relevant product PRD. These requirements should be prioritized.'' | ''List functional and non-functional requirements for the feature here, with links back to any relevant product PRD. These requirements should be prioritized.'' | ||
PRD: http://wiki.mozilla.org/Firefox3/Product_Requirements_Document#Add-ons | PRD: http://wiki.mozilla.org/Firefox3/Product_Requirements_Document#Add-ons | ||
== Schedule == | == Schedule == | ||
''Describe the rough schedule here, linking back to relevant product release milestones, as well as linking to any build/release notes.'' | ''Describe the rough schedule here, linking back to relevant product release milestones, as well as linking to any build/release notes.'' | ||
The restart button and l10n work landed for alpha 6, the other parts landed for alpha 8. Specific bugs have the target milestone set appropriately. | The restart button and l10n work landed for alpha 6, the other parts landed for alpha 8. Specific bugs have the target milestone set appropriately. | ||
| Line 42: | Line 48: | ||
== Security and Privacy == | == Security and Privacy == | ||
* What security issues do you address in your project? | * What security issues do you address in your project? | ||
New work involves ensuring that MITM attacks cannot occur during the add-ons update process, this involves ensuring that updates are either delivered by ssl secured connections or have been signed by a cryptographic key pair, the public part of which is already known to the application. | |||
* Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing? | * Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing? | ||
The Add-ons manager attempts to recover in the event of corrupt/missing configuration files. | |||
* Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project. | * Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project. | ||
The ability to install extensions into the application is itself a potential risk since the extension runs as a privileged component of the application able to perform any operation that the regular application can. | |||
The install whitelist is in place to make it more difficult to install an extension from a non-trusted source. The update security restrictions ensure that once an extension is installed it's update cannot be circumvented by a third party. | |||
== Exported APIs == | == Exported APIs == | ||
* Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.) | * Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.) | ||
[http://mxr.mozilla.org/seamonkey/source/toolkit/mozapps/extensions/public/nsIExtensionManager.idl nsIExtensionManager.idl] [http://mxr.mozilla.org/seamonkey/source/toolkit/mozapps/extensions/public/nsIBlocklistService.idl nsIBlocklistService.idl] | |||
* Does it interoperate with a web service? How will it do so? | * Does it interoperate with a web service? How will it do so? | ||
The Add-ons manager retrieves update information about installed and add-ons to be installed from remote servers. This is done using the regular HTTP protocol retrieving a file in an RDF format as described in the [http://developer.mozilla.org/en/docs/Extension_Versioning%2C_Update_and_Compatibility#Update_RDF_Format update manifest documentation]. | |||
* Explain the significant file formats, names, syntax, and semantics. | * Explain the significant file formats, names, syntax, and semantics. | ||
Each add-on is delivered as an xpi file which is just a simple zip file. | |||
There are a number of files existing for each add-on to enable installation and subsequent updating: | |||
* [http://developer.mozilla.org/en/docs/install.rdf install.rdf] holds per-add-on metadata that describes what version the add-on is, what applications it can be installed into and user-facing information such as a name and description. | |||
* [http://developer.mozilla.org/en/docs/Extension_Versioning%2C_Update_and_Compatibility#Update_RDF_Format update.rdf] is retrieved from the internet to tell the add-ons manager updated information about the current add-on and any updates that are available for it. | |||
* Other files in the add-on are not really used by the add-ons manager however the application makes use of them to run the add-on. The structure of the addon a [http://developer.mozilla.org/en/docs/Bundles bundle]. | |||
The Add-ons manager maintains 3 state files in the user's profile directory: | |||
* extensions.rdf holds the bulk of information about all installed add-ons, the majortiy of this is copied from the add-on's install.rdf file and state information such as blocklisting, disabling status is held here. | |||
* extensions.ini contains a list of the directories of currently installed and enabled add-ons. This is used by the application, the add-ons manager the current list of add-ons to this but does not read from it. | |||
* extensions.cache contains a list of all the known add-ons together with state information about the last modified time and any operations waiting to be performed. This is used to increase startup performance by allowing the add-ons manager to avoid loading extensions.rdf unless necessary. | |||
* Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully? | * Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully? | ||
* Does it change any existing interfaces? | * Does it change any existing interfaces? | ||