Security/Reviews/Firefox6/ReviewNotes/SiteDataUI

From MozillaWiki
Jump to: navigation, search

Site Based Data Management UI (about:permissions) 2011.06.15

Introduce Feature

    • Experimental but possibly a full fledged feature
    • what permissions do sites have, what data is being shared, see total relationship with a give site
    • More for expert users but may become more popular
  • Goal of Feature, what is trying to be achieved (problem solved, use cases, etc) 
      • give users all the permissions for a site in one place
  • What solutions/approaches were considered other than the proposed solution? 
      • this was a pane in prefs dialog
      • decided there was not enough space so it became a content tab
  • Why was this solution chosen? 
      • More space was needed
      • some use cases were not being handled by page info
  • Any security threats already considered in the design and why? 
      • How to deal with cookies set for superdomains --> bug 658556
      • How to deal with third-party cookies?

Info / Questions

  • feature is in content, which should become a more standard prefrence 
  • similar to about:addons
  • how can addons work with this?
    • currently no easy-to-use hooks for addons
  • will there be a way to get from a page to the about:permissions pane for that page? I think there should be, but it needs to be non-clickjackable. (won't be in Fx 6)
  • HSTS and DNT?
  • Is this UI used in mobile
    • not curently

Threat Brainstorming

  • If content-area chrome is targetable or loadable by web content, that could turn an sg:high universal XSS into an sg:critical.
    • all in-content UI pages have this as a problem, so this does not expand that risk
  • Currently managing items such as cookies and passwords launches current  small managers for these items.  Future design would move these to content.  Are there potential security issues here?
    • master password is not being used, so people are a bit "freaked" about having their passwords in this format
  • network traffic caused by this feature?
    • all info is local, no network requests
    • favicons use faviconservice, not loaded remotely
    • how can you verify a site has no default permissions?
    • still being delt with
    • bsterne verified that you cannot link to this about:permissions page from a content page, including: iframe, window.open, or <a href> (clickjacking threat)
  • It is possible to navigate from about:permissions to another page using Cmd+L or to your home page using Alt+Home. This is a security risk because it gives content a way to target chrome, enabling clickjacking and XSS-elevation and other badness. filed bug 664556
  • does anything ask for your password
    • No
  • tabs on bottom still shows URL bar which could lead to spoofing

Conclusions / Action Items

  • [gavin] javascript: URLs can still be executed in the context of this (and similar) pages from the "Location" dialog. We should do a similar fix to bug 656433 --> bug 664552 filed (not blocking)
  • [UX Team?] add Master Password improvements into UX experiments
  • [Dveditz] bug: use of master password on about:permissions (not blocking)
  • [Jesse] bug: chrome to content navigation --> bug 664556 (not blocking)
  • [dchan] bug: cookie handling --> bug 664606 (not blocking)