Firefox 3.6/Personas Uplift Security Review

Describe the goals and objectives of the feature here.

Background links

• feature-tracking bug links
  • bug 511104
• specs or design docs
  • https://wiki.mozilla.org/Firefox/Projects/Personas_Uplift_Exploration

• What potential security issues in your feature have you already considered and addressed?
  • We don't verify that the files stored as profile-folder/lightweighttheme-header and profile-folder/lightweighttheme-footer are in fact images.
• Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • The xpinstall whitelist is re-used, since the capability it's associated with is "Install Extensions or Themes", where lightweight themes fit in. getpersonas.com is by default whitelisted.

The browser accepts these events from content: InstallBrowserTheme, PreviewBrowserTheme, ResetBrowserThemePreview. InstallBrowserTheme requires the event target to have a data-browsertheme attribute which contains a JSON string.

Example page: https://bug511771.bugzilla.mozilla.org/attachment.cgi?id=399709

The decoded object must contain: "id", "name", "headerURL". It may contain: "footerURL", "textcolor", "accentcolor", "iconURL", "previewURL", "author", "description", "homepageURL". All values must be strings. Keys ending with "URL" must be absolute URLs or URLs relative to the event target's baseURI. Invalid URLs and URLs that don't start with https?: are dropped. Empty strings are dropped.

The InstallBrowserTheme causes the theme to be installed if the site is on the xpinstall whitelist and raises a notification bar otherwise. The PreviewBrowserTheme and ResetBrowserThemePreview events are allowed for whitelisted sites only. Previews are reset automatically after 30 seconds, in case the ResetBrowserThemePreview event won't be dispatched.

• What data is read or parsed by this feature?
  • the data-browsertheme attribute is read from content and parsed using JSON.parse
• What storage formats are used?
  • prefs (boolean & JSON strings) and actual files: profile-folder/lightweighttheme-header, profile-folder/lightweighttheme-footer

• What failure modes or decision points are presented to the user?
  • When the InstallBrowserTheme event is dispatched on a content node, a notification bar appears, saying that this site (the location.host of the node's ownerDocument) attempted to install a theme. There's an "Allow" button. Not approved for 1.9.2 yet: When a theme has been installed, another notifcation bar confirms that a theme has been installed, allowing the user to undo this or open the add-ons manager's themes pane.
• Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
  • We depend on nsIWebBrowserPersist.saveURI when it comes to storing the header and footer images.

Are there related projects in the community?

• If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
• Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?