Security/Reviews/Gaia/InterAppCommunicationAPI
Jump to navigation
Jump to search
Review Details
- Topic: Inter-App Communication API
- Review Date: January, 2014
- Status: Ongoing/Incomplete
- Review Lead: Rob Fletcher <rfletcher@mozilla.com> (:omerta)
- Repo:
- Connections: Gene Lian <glian@mozilla.com>, "Fernando Jiménez Moreno" <ferjmoreno@gmail.com>
- Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=876397
- Wiki: https://wiki.mozilla.org/WebAPI/Inter_App_Communication_Alt_proposal
Overview
The Inter-App Communication API will allow apps to communicate in a publisher/subscriber model.
Apps will register for communication in their manifest file, defining specific restrictions and details relating to the communications desired. An application can setup to send communications and/or handle communications.
Currently, only certified apps are allowed to do connections, but there are plans to open them up in the future.
Source Code
Gaia
- shared/js/iac_handler.js - handles IAC messages
- shared/js/fxa_iac_client.js - Firefox Accounts IAC client
Gecko
- dom/apps/src/Webapps.js - cpmm("Webapps:Connect"...), cpmm("Webapps:GetConnections"...)
- dom/apps/src/Webapps.jsm - process manifest file for new ‘connections’
- dom/apps/src/InterAppComm.cpp
- dom/apps/src/InterAppCommService.js
- parent process, does checking of installOrigin, manifestURLs, and minimumAcccessLevel, main file for API
- dom/apps/src/InterAppConnection.js - child process, InterAppConnection object
- dom/apps/src/InterAppMessagePort.js - child process, InterAppMessagePort object
WebIDL
- dom/webidl/InterAppConnection.webidl - MozInterAppConnection
- dom/webidl/InterAppConnectionRequest.webidl - MozInterAppConnectionRequest
- dom/webidl/MozInterAppMessageEvent.webidl - MozInterAppMessageEvent
- dom/webidl/InterAppMessagePort.webidl - MozInterAppMessagePort
IDL
- dom/interfaces/apps/nsIDOMApplicationRegistry.idl - registers connect() and getConnections()
- dom/interfaces/apps/nsIInterAppCommService.idl - nsIInterAppCommService
Security Features
manifest ‘rules’
minimumAccessLevel
Defines a ‘minimum’ application type level: web, privileged, or certified. Defaults to ‘web’.
installOrigins
A list of install origins from where subscriber apps should have been installed. Since certified apps has not a valid install origin, these constraint does not apply to them.
manifestURLs
Can be used to set specific subscribers by a list of manifestURLs.
Current Usage
apps/search/manifest.webapp
apps/system/manifest.webapp
83 "mediacomms": {
84 "description": "Communication with media apps for now playing info",
85 "rules": {}
87 "search-results": {
88 "description": "Communicate between search results and search app",
89 "rules": {}
91 "ftucomms": {
92 "description": "Communicate between communications/ftu and System",
93 "rules": {}
95 "bluetoothTransfercomms": {
96 "description": "Communication with bluetooth apps for sending files info",
97 "rules": {}
99 "dialercomms": {
100 "description": "Communication with dialer app for sleep message",
101 "rules": {}
103 "fxa-mgmt": {
104 "description": "Firefox Accounts management API",
105 "rules": {
106 "minimumAccessLevel": "certified"
107 }
Concerns
- http://mxr.mozilla.org/mozilla-central/source/b2g/chrome/content/shell.js#748
- I think we can control ‘keyword’ and this looks like its chrome code
- I think a lot of this just needs to be put through manual testing.
- http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/InterAppCommService.js#349
- does checking for ‘security’ things. It uses 2 fields each time. ex. aSubAppManifestURL and aPubAppManifestURL. Can i set one of those on my app and ‘bypass’ these tests
- So this uses postMessage, is there any opportunity for other apps just listening for 'message' will be able to intercept sensitivei comms?
manifest
- The installOrigins field inside manifest file limits communications origins. This needs to be tested
- also, them seem to just be a domain name, are we not doing port, domain, protocol along with app id?