Security/Reviews/Gaia/InterAppCommunicationAPI: Difference between revisions
(→Gaia) |
|||
| Line 105: | Line 105: | ||
==== Secure Communications ==== | ==== Secure Communications ==== | ||
TBD | |||
==== Secure Data Storage ==== | ==== Secure Data Storage ==== | ||
TBD | |||
==== Denial of Service ==== | ==== Denial of Service ==== | ||
TBD | |||
==== Interfaces with other Apps/Content==== | ==== Interfaces with other Apps/Content==== | ||
TBD | |||
=== Gecko === | === Gecko === | ||
Revision as of 21:15, 31 January 2014
Review Details
- Topic: Inter-App Communication API
- Review Date: January, 2014
- Status: Ongoing/Incomplete
- Review Lead: Rob Fletcher <rfletcher@mozilla.com> (:omerta)
- Repo:
- Connections: Gene Lian <glian@mozilla.com>, "Fernando Jiménez Moreno" <ferjmoreno@gmail.com>
- Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=876397
- Wiki: https://wiki.mozilla.org/WebAPI/Inter_App_Communication_Alt_proposal
Overview
The Inter-App Communication API will allow apps to communicate in a publisher/subscriber model.
Apps will register for communication in their manifest file, defining specific restrictions and details relating to the communications desired. An application can setup to send communications and/or handle communications.
Currently, only certified apps are allowed to do connections, but there are plans to open them up in the future.
Source Code
Gaia
- shared/js/iac_handler.js - handles IAC messages
- shared/js/fxa_iac_client.js - Firefox Accounts IAC client
Gecko
- dom/apps/src/Webapps.js - cpmm("Webapps:Connect"...), cpmm("Webapps:GetConnections"...)
- dom/apps/src/Webapps.jsm - process manifest file for new ‘connections’
- dom/apps/src/InterAppComm.cpp
- dom/apps/src/InterAppCommService.js
- parent process, does checking of installOrigin, manifestURLs, and minimumAcccessLevel, main file for API
- dom/apps/src/InterAppConnection.js - child process, InterAppConnection object
- dom/apps/src/InterAppMessagePort.js - child process, InterAppMessagePort object
WebIDL
- dom/webidl/InterAppConnection.webidl - MozInterAppConnection
- dom/webidl/InterAppConnectionRequest.webidl - MozInterAppConnectionRequest
- dom/webidl/MozInterAppMessageEvent.webidl - MozInterAppMessageEvent
- dom/webidl/InterAppMessagePort.webidl - MozInterAppMessagePort
IDL
- dom/interfaces/apps/nsIDOMApplicationRegistry.idl - registers connect() and getConnections()
- dom/interfaces/apps/nsIInterAppCommService.idl - nsIInterAppCommService
Security Features
manifest ‘rules’
minimumAccessLevel
Defines a ‘minimum’ application type level: web, privileged, or certified. Defaults to ‘web’.
installOrigins
A list of install origins from where subscriber apps should have been installed. Since certified apps has not a valid install origin, these constraint does not apply to them.
manifestURLs
Can be used to set specific subscribers by a list of manifestURLs.
Current Usage
connect()
- apps/bluetooth/js/transfer.js:216: app.connect('bluetoothTransfercomms').then(function(ports) {
- apps/communications/dialer/js/calls_handler.js:114: app.connect('dialercomms').then(function(ports) {
- apps/communications/ftu/js/tutorial.js:123: app.connect('ftucomms').then(function onConnAccepted(ports) {
- apps/homescreen/everything.me/js/search/control.js:12: app.connect('search-results').then(
- apps/search/js/search.js:37: app.connect('search-results').then(
- apps/system/js/rocketbar.js:249: app.connect('search').then(
- apps/system/test/marionette/fakemusic/js/comms.js:34: app.connect('mediacomms').then(function(ports) {
- shared/js/media/remote_controls.js:184: app.connect('mediacomms').then(function(ports) {
apps/search/manifest.webapp
28 "search": {
29 "handler_path": "index.html",
30 "description": "Proxies search to copied search app. Should be moved to the search app manifest if we split the app up.",
31 "rules": {}
apps/system/js/rocketbar.js:249: app.connect('search')...
Used by System app, in rocketbar.js, to insert '...the search app iframe into the dom'
apps/system/manifest.webapp
83 "mediacomms": {
84 "description": "Communication with media apps for now playing info",
85 "rules": {}
87 "search-results": {
88 "description": "Communicate between search results and search app",
89 "rules": {}
91 "ftucomms": {
92 "description": "Communicate between communications/ftu and System",
93 "rules": {}
95 "bluetoothTransfercomms": {
96 "description": "Communication with bluetooth apps for sending files info",
97 "rules": {}
99 "dialercomms": {
100 "description": "Communication with dialer app for sleep message",
101 "rules": {}
103 "fxa-mgmt": {
104 "description": "Firefox Accounts management API",
105 "rules": {
106 "minimumAccessLevel": "certified"
107 }
Review Notes
Gaia
XSS & HTML Injection Attacks
TBD
Secure Communications
TBD
Secure Data Storage
TBD
Denial of Service
TBD
Interfaces with other Apps/Content
TBD
Gecko
1. Content/Chrome Segregation
DownloadsAPI is implemented using WebIDL. There was a lot of discussion around what to expose in the case when a page does not have the permission present - see bug 957592 for details.
2. Process Segregation
Inter-process communication is performed through DownloadsIPC.jsm & DownloadsAPI.jsm. We are mainly interested in the message which the parent listens for:
- Downloads:GetList
- Downloads:ClearAllDone
- Downloads:Remove
- Downloads:Pause
- Downloads:Resume
Permissions are checked in the parent before processing any messages, using the standard approach:
144 receiveMessage: function(aMessage) {
145 if (!aMessage.target.assertPermission("downloads")) {
146 debug("No 'downloads' permission!");
147 return;
148 }
One issue was identified in the way the message was processed however - see bug 966141 for details.
3. Data validation & Sanitization
The API accepts only minimal data from content, and as such the attack surface is very small, and no issues were found.
4. Denial of Service
960739 was identified as a potential DoS scenario.
Concerns (To-Delete)
- http://mxr.mozilla.org/mozilla-central/source/b2g/chrome/content/shell.js#748
- I think we can control ‘keyword’ and this looks like its chrome code
- I think a lot of this just needs to be put through manual testing.
- http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/InterAppCommService.js#349
- does checking for ‘security’ things. It uses 2 fields each time. ex. aSubAppManifestURL and aPubAppManifestURL. Can i set one of those on my app and ‘bypass’ these tests
- So this uses postMessage, is there any opportunity for other apps just listening for 'message' will be able to intercept sensitivei comms?
manifest
- The installOrigins field inside manifest file limits communications origins. This needs to be tested
- also, them seem to just be a domain name, are we not doing port, domain, protocol along with app id?