Extension Blocklisting

From MozillaWiki
Revision as of 19:12, 2 March 2006 by Robert Strong (talk | contribs)
Jump to navigation Jump to search

Please comment in the Talk page (use the Discussion tab above)

Tracked by: bug 318338

Goals & Objectives

Planned Milestones

Alpha 1 Extension Manager code complete
User Interface operational (needs tuning)
Alpha 2 Blacklist File hosted / owned on A.M.O.
Blacklist Details page hosted / owned on mozilla.com
User Interface code complete

Overview

Firefox runs both extensions and plugins at elevated privilege, opening users up to attack vectors left open either intentionally (a malicious extension/plugin which may have been installed by some trickery) or unintentionally.

Once an exploit is known to the community, it should be our responsibility to take measures to protect our installed users from these attack vectors. To do so, a "blacklist" will be kept which will be an always up-to-date list of plugin and extension versions that have been found to be vulnerable to attack. A local copy of this list will be updated using the Software Update mechanism. If an installed plugin or extension matches this list, it will be disabled and the user will be informed.

Background

Use Cases

Functional Requirements

  • Inform users when a blacklisted item has been detected
    • tell users what this means
    • provides a link to more information
    • disable the item
  • Provide some level of control over whether the blacklist is enabled
    • probably not first-level UI for this (about:config prefs)
  • Some way of indicating that an installed extension is disabled because it has been blacklisted
    • should still allow a user to check for updates
  • Every application should have its own blacklist (e.g. unique blacklist url)
    • an extension could be insecure with one application and secure with another application
  • It should be possible to specify an application version range that an extension is insecure with.
    • it is possible that an update to the application can make an extension secure and we still need it to be blacklisted for other versions of the application

Plans & Design Documents

API Changes Required

Impact

The current design impacts the following areas of development


Extensions

Localization

Update

See Also

Discussion & Implications

Caveats / What We've Tried Before

Security Implications

Privacy Considerations

Retrieved from "https://wiki.mozilla.org/index.php?title=Extension_Blocklisting&oldid=18084"