Security/Reviews/Firefox4/FileAPI Security Review: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "== Overview == ''Describe the goals and objectives of the feature here.'' [http://dev.w3.org/2006/webapi/FileUpload/publish/FileAPI.html File API spec] ;Background links * feat...")
 
 
(One intermediate revision by one other user not shown)
Line 4: Line 4:
[http://dev.w3.org/2006/webapi/FileUpload/publish/FileAPI.html File API spec]
[http://dev.w3.org/2006/webapi/FileUpload/publish/FileAPI.html File API spec]


;Background links
Allows getting a url for a file. When loading from the url, it loads from the contents of a file.
* feature-tracking bug links
* specs or design docs


== Security and Privacy ==
== Security and Privacy ==
* Is this feature a security feature?  If it is, what security issues is it intended to resolve?
* What potential security issues in your feature have you already considered and addressed?
* What potential security issues in your feature have you already considered and addressed?
* Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
 
URL has a origin and is subject so same origin checks. If origin A generates a url, then origin B can't load from it. Additionally, there is no way for B to get the url unless A explicitly hands it a copy.
 
There is currently a bug that allows origin B to "revoke" a url that origin A has generated. But only if it somehow manages to guess the url.
 
* Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
* Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
That UUIDs can't be guessed (though there are extra layers of security).
Possible bugs in how we get the origin for a given uri.
* How are transitions in/out of Private Browsing mode handled?
* How are transitions in/out of Private Browsing mode handled?
No effects. Maybe there should be?


== Exported APIs ==
== Exported APIs ==
* Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
* Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
* Does it interoperate with a web service? How will it do so?
 
* Explain the significant file formats, names, syntax, and semantics.
url = window.createBlobURL(file);
* Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
window.revokeBlobURL(url);
 
* Does it change any existing interfaces?
* Does it change any existing interfaces?
nsIDOMWindow2


== Module interactions ==
== Module interactions ==
Line 46: Line 56:


== Review comments ==
== Review comments ==
* File a bug to kill the ability to revoke a cross-origin FileURL by name/url.
** --> {{bug|xxxxxx}}

Latest revision as of 23:51, 29 September 2010

Overview

Describe the goals and objectives of the feature here.

File API spec

Allows getting a url for a file. When loading from the url, it loads from the contents of a file.

Security and Privacy

  • What potential security issues in your feature have you already considered and addressed?

URL has a origin and is subject so same origin checks. If origin A generates a url, then origin B can't load from it. Additionally, there is no way for B to get the url unless A explicitly hands it a copy.

There is currently a bug that allows origin B to "revoke" a url that origin A has generated. But only if it somehow manages to guess the url.

  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.

That UUIDs can't be guessed (though there are extra layers of security). Possible bugs in how we get the origin for a given uri.

  • How are transitions in/out of Private Browsing mode handled?

No effects. Maybe there should be?

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)

url = window.createBlobURL(file); window.revokeBlobURL(url);

  • Does it change any existing interfaces?

nsIDOMWindow2

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)?

Data

  • What data is read or parsed by this feature?
  • What is the output of this feature?
  • What storage formats are used?

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

  • File a bug to kill the ability to revoke a cross-origin FileURL by name/url.
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Firefox4/FileAPI_Security_Review&oldid=257004"