Extension Manager:Security Review

From MozillaWiki
Revision as of 09:47, 22 October 2007 by Mossop (talk | contribs)
Jump to navigation Jump to search

Status

Feature tracking bug
  • bug 257155 - Support shipping of localized user-facing addon text
  • bug 391730 - Add-ons Manager Plugins UI for Firefox 3.0
  • bug 252830 - Blocked XPI install should have allow once feature
  • bug 369075 - Add permanent button for restarting Firefox to Add-ons Mgr
  • bug 297903 - Extension updates should link to further information
  • bug 384956 - Provide access to extension options from app options
  • bug 378216 - Disable insecure extension updates by default

Has a design review been completed? The UX team, Pike and dveditz have reviewed relevant aspects of the features though nothing so formal as a design review has occurred.

When do you anticipate the feature landing The main parts of all of the above have new landed with some final fixes still to be implemented.

Overview

Describe the goals and objectives of the feature here. Goals for the new work:

  • Simplify the installation and management of all types of add-ons where possible
  • Present information about add-ons in an appropriate locale for the user at all times
  • Provide the user with more information about updated add-ons and protect them from installing updates insecurely

Use Cases

Describe the primary use cases for the feature here.

  • Installing new add-ons
  • Configuring add-ons
  • Enabling/Disabling/Uninstalling existing add-ons

Requirements

List functional and non-functional requirements for the feature here, with links back to any relevant product PRD. These requirements should be prioritized.

PRD: http://wiki.mozilla.org/Firefox3/Product_Requirements_Document#Add-ons

Schedule

Describe the rough schedule here, linking back to relevant product release milestones, as well as linking to any build/release notes.

The restart button and l10n work landed for alpha 6, the other parts landed for alpha 8. Specific bugs have the target milestone set appropriately.

UI Design Documentation

use cases and expected user knowledge (terminology, metaphors, etc) design mockups (of whatever fidelity is easiest) links to relevant user data, bugs, reports, examples, etc

Design Impact

Security and Privacy

  • What security issues do you address in your project?

New work involves ensuring that MITM attacks cannot occur during the add-ons update process, this involves ensuring that updates are either delivered by ssl secured connections or have been signed by a cryptographic key pair, the public part of which is already known to the application.

  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?

The Add-ons manager attempts to recover in the event of corrupt/missing configuration files.

  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.

The ability to install extensions into the application is itself a potential risk since the extension runs as a privileged component of the application able to perform any operation that the regular application can.

The install whitelist is in place to make it more difficult to install an extension from a non-trusted source. The update security restrictions ensure that once an extension is installed it's update cannot be circumvented by a third party.

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)

nsIExtensionManager.idl nsIBlocklistService.idl

  • Does it interoperate with a web service? How will it do so?

The Add-ons manager retrieves update information about installed and add-ons to be installed from remote servers. This is done using the regular HTTP protocol retrieving a file in an RDF format as described in the update manifest documentation.

  • Explain the significant file formats, names, syntax, and semantics.

Each add-on is delivered as an xpi file which is just a simple zip file. There are a number of files existing for each add-on to enable installation and subsequent updating:

  • install.rdf holds per-add-on metadata that describes what version the add-on is, what applications it can be installed into and user-facing information such as a name and description.
  • update.rdf is retrieved from the internet to tell the add-ons manager updated information about the current add-on and any updates that are available for it.
  • Other files in the add-on are not really used by the add-ons manager however the application makes use of them to run the add-on. The structure of the addon a bundle.

The Add-ons manager maintains 3 state files in the user's profile directory:

  • extensions.rdf holds the bulk of information about all installed add-ons, the majortiy of this is copied from the add-on's install.rdf file and state information such as blocklisting, disabling status is held here.
  • extensions.ini contains a list of the directories of currently installed and enabled add-ons. This is used by the application, the add-ons manager the current list of add-ons to this but does not read from it.
  • extensions.cache contains a list of all the known add-ons together with state information about the last modified time and any operations waiting to be performed. This is used to increase startup performance by allowing the add-ons manager to avoid loading extensions.rdf unless necessary.
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
  • Does it change any existing interfaces?

Web Compatibility

  • Does the feature had any impact on Web compatibility?

Performance

  • How will the project contribute (positively or negatively) to "perceived performance"?
  • What are the performance goals of the project? How were they evaluated? What is the test or reference platform and baseline results?
  • Will it require large files/databases (for example, browsing history)?

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

l10n and a11y

  • are any strings being changed or added?
  • are all UI elements available through accessibility technologies?

Installation, Upgrade/Downgrade/Sidegrade, and platform requirements

  • Does it equally support all Tier-1 platforms?
  • Does is have a hardware requirement (or increase minimum requirements)?
  • Does it require changes to the installer?
  • Does it impact updates?
  • list the expected behavior of this feature/function when Firefox is upgraded to a newer minor release, downgraded by installation of an earlier revision, or re-installed (same version)

configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects - are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Documentation

  • Do built-in Help pages need modified?
  • Documentation for developer.mozilla.org?

Other

any other implementation or design related documentation

Discussion & Implications

Caveats / What We've Tried Before

links to previous design documents, discussions, etc.

References

links to external documents that could inform the design of the feature

Retrieved from "https://wiki.mozilla.org/index.php?title=Extension_Manager:Security_Review&oldid=71737"