Security/Reviews/WebRT: Difference between revisions

← Older edit

Security/Reviews/WebRT (view source)

Revision as of 14:44, 12 June 2012

2,568 bytes added , 12 June 2012

no edit summary

Curtisk

canmove, Confirmed users, Bureaucrats and Sysops emeriti

2,776

edits

@@ Line 3: / Line 3: @@
 |SecReview target=<ul>
 <li> Feature Page: https://wiki.mozilla.org/Apps/WebRT
-<li>{{bug|697006}}
+<li>{{bug|697006}}: enable mozApps API
+<li>{{bug|731541}}: Windows installer
+<li>{{bug|739636}}: Mac installer
+<li>{{bug|725408}}: launcher and shell
+<li>[https://etherpad.mozilla.org/bug-725408 etherpad bug-725408]: scratchpad for responding to review comments
+<li>[https://etherpad.mozilla.org/webapprt-install-flow etherpad webapprt-install-flow]: install flow specification
 </ul>
 }}
@@ Line 40: / Line 45: @@
 The "scope"  of a web app is an origin (protocol+host+port). In the future we might allow the app to specify that it will want to load Facebook or Paypal in order to do a third-party thing temporarily.
 |SecReview alt solutions=* using firefox.exe shortcuts (discussed above)
 |SecReview solution chosen=* for a variety of reasons shown in the discussion above
 |SecReview threats considered=* web apps whose name contains ".."
+|SecReview threat brainstorming=* Does the stub get updated when Firefox is updated?
+** No. We just hope the attack surface is small enough that it's ok to update them when they run.
+* What happens if arguments are passed to the stub on the command line?
+** ... and the stub executable decides to update itself, right then
+* Stub executables cannot be signed, because the icon is smushed into the executable. Will this cause Windows to warn or block the executable?
+** it can be set to do so, but by default it will warn on execution if the sig is wrong
+* Are there domain restrictions on what a web app can load?  (links used to open in firefox, does that still happen? What about changes to window.location?)
+* Do web apps share a cookie store with Firefox?
+** no
+* Does each app have a competely separate profile?
+** Yes
+* What permissions do these web apps have?
+** currently nothing beyond what a webpage has.  they load in a type="content"
+*** except for the ability to appear without a url bar, ...
+* web apps whose name is the same as an app the user already has installed (spoofing, overwriting)
+** given the way refrenced this should not be a problem
+* finding libxul.dll in the working directory (make sure we use the new, secure version of the dll search path)
+* Spoofing Facebook or Paypal logins. User has no way to tell if it's legit.  Can we say "BrowserID logins only", or send it over to the web browser?
+* Can a web app change its icon on the fly? (Suddenly spoofing Firefox or Windows Update, for example)\
 }}
 {{SecReviewActionStatus
-|SecReview action item status=None
+|SecReview action item status=In Progress
+|SecReview action items=<table border="1">
+<tr>
+	<td>Who</td>
+        <td>bug</td>
+	<td>Action</td>
+	<td>By When</td>
+	<td>Completed date
+		{{new|new}}
+		{{done|Done}}
+		{{miss|Miss}}
+	</td>
+</tr>
+<tr>
+	<td>myk </td>
+        <td>{{bug|741954}}</td>
+	<td>navigating "off origin" needs to open in browser </td>
+	<td> by ship</td>
+	<td>{{new|new}} </td>
+</tr>
+<tr>
+	<td>myk </td>
+        <td><strike>{{bug|741955}}</strike> {{bug|707836}}</td>
+	<td>if whitelisted 3rd party pages/domains are allowed those need to be clearly identified in chrome when they're opened </td>
+	<td>by ship </td>
+	<td>{{new|new}} </td>
+</tr>
+</table>
+<bugzilla>
+{
+"id":"741954,707836"
+}
+</bugzilla>
 }}