Firefox3.1/Video Security Review

From MozillaWiki
Jump to: navigation, search

Overview

Implement the WHATWG <video> and <audio> elements using Ogg Vorbis and Theora as the audio and video codecs respectively.

Background links

Security and Privacy

  • What security issues do you address in your project?

None

  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing? No configuration files/prefs.
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project. video and audio uses external third party libraries to do the decoding and manage sound output. There is the potential for bugs in these libraries to present a security risk.

Schrep arrange for Window to take a look at the 3rd party libraries back in July. I haven't heard back from them what the result of this was. libvorbis and libtheora have had coverity scans and had bugs fixed as a result. One of the developers involved in the third party library projects has done some fuzz testing of the xiph codecs earlier this year. Some things were found which were fixed.

We don't currently support a full screen mode but if we do then we have to deal with issues of videos being used for faking user interfaces.

The are additional security issues involved with backends that use OS media frameworks. As there are no plan's to enable these in 3.1 I haven't looked at the issues there.

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI,

etc.)

nsIHTMLMediaElement nsIHTMLVideoElement nsIHTMLAudioElement nsIHTMLMediaError

  • Explain the significant file formats, names, syntax, and semantics.

The ogg backend uses the Ogg file format, with Vorbis and Theora streams embedded inside. See links to specs earlier.

  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?

Yes. They are documented in the WHATWG specification (linked earlier) and there is Mozilla documentation available.

  • Does it change any existing interfaces?

No.

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)

The following third party libraries are used:

libogg libvorbis libtheora libfishsound liboggplay liboggz libsydneyaudio

Data

  • What data is read or parsed by this feature

<video>, <audio> and <source> are parsed in the HTML. Ogg contained files are read/parsed using the external libraries listed above.

  • What is the output of this feature Video Output displayed, Audio output written to sound hardware.
  • What storage formats are used None.

Reliability

  • What failure modes or decision points are presented to the user?

None.

  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes? No files can be corrupted by failures as it never writes anything.

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?

Not yet. It is planned to add preferences to enable disabling audio/video.

  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]

ifdef MOZ_MEDIA for enable <video> and <audio> support

ifdef MOZ_OGG for Ogg backend

--enable-ogg to enable ogg backend and media support

Relationships to other projects

  • Are there related projects in the community?

I use the third party libraries listed earlier.

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa? We depend on those libraries being actively maintained and bug fixes actioned in a timely manner.
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose? For the Annodex libraries (liboggz, liboggplay, libsydneyaudio, libfishsound) I raise tickets in their trac system for bugs and post on the annodex-dev mailing list. I'm active in the #annodex channel on irc.freenode.net and discuss issues with them there. I have commit access to Annodex svn repository for these libraries and have reviewed/committed code.

For the Xiph libraries (libogg, libvorbis, libtheora) I post on the theora-dev and ogg-dev mailing lists, am active in the #theora channel on freenode and discuss issues with the developers that way.

Review comments

  • src load needs to call CheckLoadURI() to prevent load of file:, chrome:, javascript: etc types.
  • data: is probably fine
  • Using Access-Control utils (under discussion) should already contain those checks, but we should test to be sure.
  • There was some talk of a pref to override access-control checks, as a developer thing.
  • <video> and <audio> need to check with defined nsIContentPolicy providers (we do, roc thinks; https://bugzilla.mozilla.org/show_bug.cgi?id=451004 says we don't)
  • bandwidth issue: no way (pref) to turn off video or audio. Apparently a kill switch is already planned as a fall-back in case of legal issues: https://bugzilla.mozilla.org/show_bug.cgi?id=448600
  • also an accessibility issue.
  • probably need separate prefs for video and audio since there accessibility and bandwidth reasons why some might wish to block one and allow the other. That's probably for some future release.
  • pages/frames opened on video/audio content will play that content.
  • currently that auto-plays automatically in full-page, should we change that?
  • tags in a page obey the autoplay attribute. Some people are going to want a way to say videos shouldn't play until they want them to (just as we have control over how animated images play). Do we need a pref for that too? definitely too late to get UI for it, but a backend pref would still be useful for addons to add UI later.