Security/Reviews/Firefox6/ReviewNotes/AddOns

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Date of Review: 2011.05.25

Item Reviewed:

Add-on Installation

Pri1:

  • move from modal to arrow panel
  • timer change

- how is multiple at one being handled?

  • the dialogs will stack until a certain number then scroll (not z-index)
    • error handling still needs some work
  • Author not verified messaging changing for Add-ons from A.M.O
    • Need verification that reviews have been done to a level that supports this security statement
    • too much reliance on automated scan for this check, more in depth analysis is needed
    • Concept is good

Pri2:

  • download before install and ask -or- ask then download
    • old: ask then download, changed in FX4 to download then ask for several reasons (ie. compatibility)
  • ask then download is the preferred method from a security perspective

Issues:

  • possible API changes to support messaging for reviewed, "good" add-ons

Followups:

  • need a set of heuristics for making decisions on how the add-on experience flows (future work)
  • review error handling when complete

Third Party Add-on Confirmation

  • if install without restart, tab closes
  • old style: continue changes to "you have to restart"
  • can also be enabled form add-ons manager

Questions:

Issues:

  • N/A

Followups:

  • N/A

Previous Discussions

From 4.7.2011

  • possible changes to add-on dialogs and their impact
  • goal improve add-on installation for users
    • lengthy steps seem in consistent to users, ex: countdown, and UI differences
    • perception on AMO that even AMO is not trusted even when add-on comes from Moz
    • implication is this should not be trusted even if linked to by trusted spaces.
  • streamline process, make easier, less clicks, possibly reduce or remove countdown

Q: What are the risks entailed in installation and is AMO less risk than other sites?

  • Should be clear that AMO is a website that is part of the app, but what if AMO is hacked? Does this neccessarily help?
  • If you go to AMO as a website then this is a preferred experience, like the bits in FX
    • Desire: AMO having a different status
    • Dialoge is needed as click-jacking is still prevalent/possible on AMO
    • A site cannot frame the add-on tab, where as getting a click attack on AMO is somewhat trivial
  • Need clear dialog for AMO sandbox

mockup: https://people.mozilla.com/%7Ejboriss/dump/flow_chart_for_addon_download2.pdf

suggestions:

  • We could lower the delay from 2 noisy seconds to 1 quiet second (added to goals above)
  • We could show the user-intent-verification first, before the download finishes. Then there aren't 2 separate "waiting" steps as long as the download is fast (added to goals above)
     
    • this would require AMO to supply the stuff that's supposed to appear in the dialog, as part of the installtrigger call, but it would make the UI much better.
  • We could make it so any link to addons.mozilla.org opens in a new tab, and use browser-side defenses against clickjacking on that tab (not a current goal)
  • We could deny InstallTrigger if clicked within 1 second of selecting the tab/window, to make clickjacking AMO harder
  • Rather than author information, which is never verified, could show AMO status
    • (not on AMO; sandboxed; full review; old version)
    • popularity
    • average review score

Unresolved Questions:

  • AMO warnings (slows down firefox? has privacy policy?)
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Firefox6/ReviewNotes/AddOns&oldid=383664"