Securtiy/Reviews/IMinThunderBird
Item Reviewed
| IM in ThunderBird | |||||||||
| Target | https://wiki.mozilla.org/Features/Thunderbird/Instant_messaging_in_Thunderbird
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
||||||||
{{#set:SecReview name=IM in ThunderBird |SecReview target=https://wiki.mozilla.org/Features/Thunderbird/Instant_messaging_in_Thunderbird
| ID | Summary | Priority | Status |
|---|---|---|---|
| 714733 | Instant messaging in Thunderbird | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- enrich the email experience with instant messaging functionality
- People frequently communicate with the same contacts through different messaging technologies (email, instant messaging, twitter...). It's frustrating to have to use completly separate systems for these different forms of communication.
- use case:
- target users: people who use Thunderbird for their emails and may IM the same set of contacts.
What solutions/approaches were considered other than the proposed solution?
- The proposed solution adds support for a few IM protocols (currently XMPP and Twitter) directly inside Thunderbird. It uses the JavaScript parts of Instantbird's backend for that.
- Another approach was to detect IM clients already installed on the user's system, and attempt to interact with them. That would however be very limiting...
Why was this solution chosen?
- By supporting IM protocols directly in Thunderbird, we have full control on how the IM messages are presented and integrated into the Thunderbird UX.
- We can index conversations, so that they can appear in gloda search results.
- It will also be possible to integrate instant messaging contact lists with the Thunderbird addressbook (not done yet).
- I (Florian) already have a good knowledge of the Instantbird code base as I wrote most of it, and reviewed the rest.
Any security threats already considered in the design and why?
- We would like to let add-on authors add support for more protocols with add-ons, so we obviously can't trust the received messages to be clean HTML.
- conversations are only displayed in browsers with the type="content-<something>" attribute
- the received HTML is sanitized before display, using a white list of acceptable HTML tags and acceptable CSS attributes. (the sanitizing code is in http://lxr.instantbird.org/instantbird/source/chat/modules/imContentSink.jsm )
Threat Brainstorming
- What is indexed in glota?
- plaintext version of conversation
- if HTML or JS is sent what happens
- attempt to sanitize the content
- interaction between browser contexts
- xul browser for ea conversation in seperate tabs
{{#set: SecReview feature goal=* enrich the email experience with instant messaging functionality
- People frequently communicate with the same contacts through different messaging technologies (email, instant messaging, twitter...). It's frustrating to have to use completly separate systems for these different forms of communication.
- use case:
- target users: people who use Thunderbird for their emails and may IM the same set of contacts.
|SecReview alt solutions=* The proposed solution adds support for a few IM protocols (currently XMPP and Twitter) directly inside Thunderbird. It uses the JavaScript parts of Instantbird's backend for that.
- Another approach was to detect IM clients already installed on the user's system, and attempt to interact with them. That would however be very limiting...
|SecReview solution chosen=* By supporting IM protocols directly in Thunderbird, we have full control on how the IM messages are presented and integrated into the Thunderbird UX.
- We can index conversations, so that they can appear in gloda search results.
- It will also be possible to integrate instant messaging contact lists with the Thunderbird addressbook (not done yet).
- I (Florian) already have a good knowledge of the Instantbird code base as I wrote most of it, and reviewed the rest.
|SecReview threats considered=* We would like to let add-on authors add support for more protocols with add-ons, so we obviously can't trust the received messages to be clean HTML.
- conversations are only displayed in browsers with the type="content-<something>" attribute
- the received HTML is sanitized before display, using a white list of acceptable HTML tags and acceptable CSS attributes. (the sanitizing code is in http://lxr.instantbird.org/instantbird/source/chat/modules/imContentSink.jsm )
|SecReview threat brainstorming=*What is indexed in glota?
- plaintext version of conversation
- if HTML or JS is sent what happens
- attempt to sanitize the content
- interaction between browser contexts
- xul browser for ea conversation in seperate tabs
}}
Action Items
| Action Item Status | In Progress | ||||||||||||||||||||||||
| Release Target | Thunderbird 13 | ||||||||||||||||||||||||
| Action Items | |||||||||||||||||||||||||
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%); |
|||||||||||||||||||||||||
{{#set:|SecReview action item status=In Progress
|Feature version=Thunderbird 13
|SecReview action items=
| Who | Action | By When | Completed date |
| ptheriault | sanitzation code review | before code migrates to aurora | [DONE] Done |
| ptheriault bug 741958 | twitter oauth / apiapi use | before code migrates to aurora | [NEW] in progress |
| ptheriault | contact name sanitization | before code migrates to aurora | [DONE] Done |
| ID | Summary | Priority | Status |
|---|---|---|---|
| 741958 | [Security Review][Action Item]IM in Thunderbird - witter oauth / apiapi use | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
}}