Firefox 3.6/Personas Uplift Security Review

From MozillaWiki
Jump to navigation Jump to search

Overview

Describe the goals and objectives of the feature here.

Background links

Security and Privacy

  • What potential security issues in your feature have you already considered and addressed?
    • we don't verify that the files stored as profile-folder/lightweighttheme-header and profile-folder/lightweighttheme-footer are in fact images.
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.

Exported APIs

The browser accepts these events from content: InstallBrowserTheme, PreviewBrowserTheme, ResetBrowserThemePreview. InstallBrowserTheme requires the event target to have a data-browsertheme attribute which contains a JSON string.

Example page: https://bug511771.bugzilla.mozilla.org/attachment.cgi?id=399709

The decoded object must contain: "id", "name", "headerURL". It may contain: "footerURL", "textcolor", "accentcolor", "iconURL", "previewURL", "author", "description", "homepageURL". All values must be strings. Keys ending with "URL" must be absolute URLs or URLs relative to the event target's baseURI. Invalid URLs and URLs that don't start with https?: are dropped. Empty strings are dropped.

The InstallBrowserTheme causes the theme to be installed if the site is on the xpinstall whitelist and raises a notification bar otherwise. The PreviewBrowserTheme and ResetBrowserThemePreview events are allowed for whitelisted sites only. Previews are reset automatically after 30 seconds, in case the ResetBrowserThemePreview event won't be dispatched.

Module interactions

Data

  • What data is read or parsed by this feature?
    • the data-browsertheme attribute is read from content and parsed using JSON.parse
  • What is the output of this feature?
  • What storage formats are used?
    • prefs and profile-folder/lightweighttheme-header, profile-folder/lightweighttheme-footer

Reliability

  • What failure modes or decision points are presented to the user?
    • When the InstallBrowserTheme event is dispatched on a content node, a notification bar appears, saying that this site (the location.host of the node's ownerDocument) attempted to install a theme. There's an "Allow" button. Not approved for 1.9.2 yet: When a theme has been installed, another notifcation bar confirms that a theme has been installed, allowing the user to undo this or open the add-ons manager's themes pane.
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

Retrieved from "https://wiki.mozilla.org/index.php?title=Firefox_3.6/Personas_Uplift_Security_Review&oldid=176596"