User:DCamp/OfflineApps Security Review
Review results: Filed bug 397416 for giving apps a way to flag that they have unsynced data Filed bug 398478 for clearing cookies and offline data separately Commented on bug 394392 about adding an "unsynced data will be lost" warning to the UI. Added a "UI needed" section. Added an item about cross-site scripting to the "steps taken for security" section Added the input file disclosure issue to "possible attack vectors"
- 1 Status
- 2 Overview
- 3 Design Impact
- 3.1 Security and Privacy
- 3.2 Exported APIs
- 3.3 Web Compatibility
- 3.4 Performance
- 3.5 Reliability
- 3.6 l10n and a11y
- 3.7 Installation, Upgrade/Downgrade/Sidegrade, and platform requirements
- 3.8 configuration
- 3.9 Relationships to other projects - are there related projects in the community?
- 3.10 Documentation
- 3.11 Other
- 4 Discussion & Implications
- Feature tracking bug
Has a design review been completed?
Only in individual bugs (and informally while we wrote the spec).
When do you anticipate the feature landing
Most of the backend work is in. I expect the user interface to land for M9.
For developers to make their applications available while the browser is offline, they need a few capabilities from the browser:
- Guaranteed resource availability - All the application resources (images, html, script, etc) need to be locally available. This is implemented in Fx3 as an additional HTTP cache (the "offline cache"), with eviction controlled by the application itself.
- Offline data storage - The application needs to be able to store data on the user's machine. globalStorage was available in Fx2, but needs to be extended for Fx3 to allow more space for offline apps.
- Notification of when the browser is offline
- Access to files from the <input type="file"> element.
Describe the primary use cases for the feature here.
List functional and non-functional requirements for the feature here, with links back to any relevant product PRD. These requirements should be prioritized.
- Preliminary <link rel="offline-resource"> support landed in alpha 3.
- A sqlite-based store for the offline cache landed in alpha 5.
- UI is planned to land in M9.
UI Design Documentation
Most of this section is cut-n-pasted from emails from beltzner.
- use a <notificationbox> (see http://developer.mozilla.org/en/docs/XUL:notificationbox)
- should appear when 1) there's a link rel tag, or 2) the app makes a move to install itself (I know there was discussion of this being tricky, but I'd like to ensure that users are asked before the apps install themselves)
- shouldn't appear if the website's already been downloaded
- something like:
[ This website (mail.mozilla.com) is offering to store data on your computer for offline use ( Allow ) ( x ) ]
Too Much Space Notification
- users should be warned when a single application ends up saving more than cache allowance
- users should be warned when all offline storage use ends up resulting in less than 10% free disk space
- warning should be at point of task, so happen when the application stores data
- warning again should be a <notificationbox>
- something like:
[ This website (mail.mozilla.com) is using more than 50MB of data on your computer ( Allow ) ( Show offline data use ) ]
[ Your disk is getting full, and you may wish to remove offline data ( Show offline data use ) ]
- "show offline data use" should open the prefpane to the appropriate location
- these strings might not be exactly right; madhava might have better suggestions
- see bug 230130, Michael Ventnor might be able to help here
- I think the right approach here would be to
- add a textbutton (Offline) to the location bar
- change the title of the browser window to say [Offline] - Page Title
- for now let's put it in Preferences > Advanced > Network
- groupbox title = "Offline storage"
- use a listbox to list offline websites by name (URI unless there's a way to get the webapp title) along with their data usage
- add a "Remove ..." button which is active when an item in that groupbox is selected
- confirmation prompt when the user clicks remove
Offline storage _____________________________________________________ Use up to [ 50 ] MB of space for cache ( Clear Now ) The following websites have data installed for offline use: .---------------------------------------------. | mail.mozilla.com 128 MB | | flickr.com 21 MB | | | | | | | | | ( Remove ...) '---------------------------------------------'
.-------------------------------------------------. | Remove offline website data | '-------------------------------------------------' | After removing this data, mail.mozilla.com will | | not be available offline. Are you sure you want | | to remove this offline website? | | | | (( Cancel )) ( Remove offline data ) | '-------------------------------------------------'
- Management of the "deny" list for the offline-apps privilege.
Security and Privacy
What security issues do you address in your project?
- Applications must have the offline-app permission set to take advantage of the offline API.
- There are limits to the number of URIs that can be added to the offline cache using script.
- Users are warned about excessive disk usage by an offline app.
- Same-origin is enforced for isLocallyAvailable() and navigator.pendingOfflineLoads.
- Cross-site scripting: No additional attack vectors have been added. Content cannot be injected into the offline cache (except by caching data from the original URI).
Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
- The offline cache acts like a normal web cache for security purposes; All decisions are made as though the resource came from the original server.
- While users are warned about excessive disk usage, it's still probably the primary risk.
- Before when a user selected a file in an input element, it could be immediately sent to the server. If a user selected a file while not connected to the network and then unselected that file before connecting, they could be sure that the file was not uploaded. With these changes, a script can store that file in offline storage and upload it when the network is available.
Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
Exported to content:
- <link rel="offline-resource"> - Allows an application mark a resource for offline caching.
- nsIDOMOfflineResourceList.idl - Allows applications to manage a list of offline-cached resources from script (exposed as navigator.offlineResources)
- nsIDOMLoadStatusList.idl - Allows applications to monitor the loading of resources into the offline cache (exposed as navigator.pendingOfflineLoads).
- isLocallyAvailable() in nsIDOMClientInformation.idl - Allows applications to check if a resource is available in the offline cache.
- the fileList attribute in nsIDOMNSHTMLInputElement.idl, which exports the interfaces in..
- nsIDOMFileList.idl and...
- nsIDOMFile.idl - These let applications get to the content of a file in a file input element.
- XXX: The upcoming WHATWG spec is likely to move these interfaces around a bit.
Exported to XPCOM:
- nsIOfflineCacheSession.idl - Access to the offline cache.
- the cacheForOfflineUse and offlineCacheClientID attributes in nsICachingChannel.idl - Setting up HTTP channels to fetch to the offline cache.
- nsIOfflineCacheUpdate.idl - Manages an atomic update to the offline cache.
Does it interoperate with a web service? How will it do so?
It does not.
Explain the significant file formats, names, syntax, and semantics.
The offline cache is stored as a set of files managed with a sqlite index.
Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
Does it change any existing interfaces?
Changes noted above to nsICachingChannel and nsIDOMNSHTMLInputElement.
Does the feature had any impact on Web compatibility?
This feature adds new capability not present in other browsers. We will need to support the upcoming WHATWG spec.
How will the project contribute (positively or negatively) to "perceived performance"?
There isn't a significant change in performance.
What are the performance goals of the project? How were they evaluated? What is the test or reference platform and baseline results?
No specific performance goals.
Will it require large files/databases (for example, browsing history)?
The offline cache requires caching all resources specified by the application without expiration, and needs to give the application enough local storage to be useful. There is UI planned to let the user keep track of how much space is used by each app.
What failure modes or decision points are presented to the user?
The user has to explicitly decide to go offline for the browser to decide to serve from the offline cache.
XXX: The new WHATWG proposal requires that the offline cache be checked even when online, so we might need to do that soon.
The user is warned when an application exceeds a certain amount of disk usage (currently 50mb).
Applications will be responsible for warning a user if their cache update fails.
Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
The index is a sqlite database. Active cache entry locks are cleaned up after caches.
l10n and a11y
are any strings being changed or added?
There are strings added for the UI pieces.
are all UI elements available through accessibility technologies?
Yes, assuming the notification bar is accessible.
Installation, Upgrade/Downgrade/Sidegrade, and platform requirements
Does it equally support all Tier-1 platforms?
Does is have a hardware requirement (or increase minimum requirements)?
No, but offline apps will require disk space.
Does it require changes to the installer?
Does it impact updates?
List the expected behavior of this feature/function when Firefox is upgraded to a newer minor release, downgraded by installation of an earlier revision, or re-installed (same version)
Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
- The total size of the offline cache is configurable in about:config.
- The amount of globalStorage space given to a web app is configurable in about:config
- The amount of disk space that will cause a warning is configurable in about:config
Are there build options for developers? [#ifdefs, ac_add_options, etc.]
If the developer builds without mozStorage, the offline cache will not be built.
What ranges for the tunable are appropriate? How are they determined? XXX
What are its on-going maintenance requirements (e.g. Web links, perishable data files)
If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
- Google Gears - Google Gears is another implementation of an offline API. Both groups are working toward a common API through the...
- WHATWG offline spec - This is currently just a proposal. When there is a solid spec, we will want to implement it.
Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?
- Do built-in Help pages need modified?
- Documentation for developer.mozilla.org?
any other implementation or design related documentation
Discussion & Implications
Caveats / What We've Tried Before
links to previous design documents, discussions, etc.