Security/Reviews/PluginOverlayAPI: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 11: Line 11:
</bugzilla>
</bugzilla>
}}
}}
{{SecReview}}
{{SecReview
|SecReview feature goal=To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins.
This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox
 
=== Notes ===
Shumway will call registerPlayPreviewMimeType
When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead.
How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element.
What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:)
use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource.
This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something.
(pilot shumway extension https://github.com/mozilla/shumway/tree/master/extension/firefox)
(iframe box testing http://pastebin.mozilla.org/1735309 )
|SecReview alt solutions=Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need:
    1. add entries to the window.navigator.plugins (with the same
    name, descript, version and mime type as flash);
    2. intercept/forward all <object
    classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
    instantiations;
    3. and, suppress the plugins priority for the document loader
    factory.
|SecReview solution chosen=Less intervention into existing plugin loading base (nsObjectLoadingContent)
|SecReview threat brainstorming=* iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?
* preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up
}}
{{SecReviewActionStatus
{{SecReviewActionStatus
|SecReview action item status=In Progress
|SecReview action item status=In Progress
Line 27: Line 51:
</tr>
</tr>
<tr>
<tr>
<td>Jethro</td>
<td></td>
<td>Arrange secreview for shumway</td>
<td>Coincide with / follow shortly "rough alpha" ( suggest making secreview bug now, updating with time as appropriate)</td>
<td></td>
<td></td>
<td>  </td>
<td> </td>
<td> </td>
<td>  </td>
</tr>
</tr>


<tr>
<td>Yury</td>
<td></td>
<td>Remove preview iFrame (cleanup)</td>
<td></td>
<td></td>
</tr>
<tr>
<td>Dan / Ian / Mark / David</td>
<td></td>
<td>Investigate alternatives for null principal for resolving iFrame security issues</td>
<td>13th - 18th August</td>
<td></td>
</tr>


</table>
</table>

Revision as of 22:12, 3 August 2012

Please use "Edit with form" above to edit this page.

Item Reviewed

Plugin Overlay API
Target * http://mozilla.github.com/shumway/

Review Bug:

Full Query
ID Summary Priority Status
776208 Provide API for JavaScript extensions to create native plugins previews for specific mime type -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

{{#set:SecReview name=Plugin Overlay API |SecReview target=* http://mozilla.github.com/shumway/

Review Bug:

Full Query
ID Summary Priority Status
776208 Provide API for JavaScript extensions to create native plugins previews for specific mime type -- RESOLVED

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins. This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox

Notes

Shumway will call registerPlayPreviewMimeType When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element. What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource. This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something. (pilot shumway extension https://github.com/mozilla/shumway/tree/master/extension/firefox) (iframe box testing http://pastebin.mozilla.org/1735309 )

What solutions/approaches were considered other than the proposed solution?

Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need: 

   1. add entries to the window.navigator.plugins (with the same
   name, descript, version and mime type as flash);
   2. intercept/forward all <object
   classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
   instantiations;
   3. and, suppress the plugins priority for the document loader
   factory.

Why was this solution chosen?

Less intervention into existing plugin loading base (nsObjectLoadingContent)

Any security threats already considered in the design and why?

`

Threat Brainstorming

  • iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?
  • preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up

{{#set: SecReview feature goal=To provide the API for the JavaScript extension to create the preview of a plug-in for specific mime type. Typical use case is to allow creation of the firefox extensions to provide the secure and interactive preview for or fully replace the native plugins. This is a key component of the Shumway implementation of a web-native SWF runtime, specifically the browser integration with Firefox

Notes

Shumway will call registerPlayPreviewMimeType When there's an embed, a check for whether there's a preview for the type (if not, it calls up plugin) if there is, it loads shumway (other preview) instead. How does the extension distinguish between multiple frames with the same source? - shumway has access the DOM tree and can extract the information from the original element. What is the origin of the document in the iframe - originally the data: uri, then changed by the streamconverter - (for shumway, looks like resource:) use of a resource URL is likely to cause problems - either use a null principal or use the origin of the original resource. This isn't enabling anything addons can't already do; rather, exposing a cleaner way for them to do something. (pilot shumway extension https://github.com/mozilla/shumway/tree/master/extension/firefox) (iframe box testing http://pastebin.mozilla.org/1735309 ) |SecReview alt solutions=Alternative solution: to provide an API to the extension that will fully intercept a flash object instantiation we need: 

   1. add entries to the window.navigator.plugins (with the same
   name, descript, version and mime type as flash);
   2. intercept/forward all <object
   classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
   instantiations;
   3. and, suppress the plugins priority for the document loader
   factory.

|SecReview solution chosen=Less intervention into existing plugin loading base (nsObjectLoadingContent) |SecReview threats considered=' |SecReview threat brainstorming=* iframe created for preview loads data: URI - inherits principal of resource:// URI which has some level of privilege - could try and use a null principal or iframe sandbox when it lands ?

  • preview iframe might be able to somehow interact with page/DOM after the user has decided to load the actual plugin if it's not cleaned up

}}

Action Items

Action Item Status In Progress
Release Target `
Action Items
Who bug Action By When Completed date

[NEW] new [DONE] Done [MISSED] Miss

Jethro Arrange secreview for shumway Coincide with / follow shortly "rough alpha" ( suggest making secreview bug now, updating with time as appropriate)
Yury Remove preview iFrame (cleanup)
Dan / Ian / Mark / David Investigate alternatives for null principal for resolving iFrame security issues 13th - 18th August

Bugzilla query error

Array ( [type] => error [message] => http-bad-status [params] => Array ( [0] => 400 [1] => Bad Request ) ) 1

{{#set:|SecReview action item status=In Progress

|Feature version=`

|SecReview action items=

Who bug Action By When Completed date

[NEW] new [DONE] Done [MISSED] Miss

Jethro Arrange secreview for shumway Coincide with / follow shortly "rough alpha" ( suggest making secreview bug now, updating with time as appropriate)
Yury Remove preview iFrame (cleanup)
Dan / Ian / Mark / David Investigate alternatives for null principal for resolving iFrame security issues 13th - 18th August

Bugzilla query error

Array ( [type] => error [message] => http-bad-status [params] => Array ( [0] => 400 [1] => Bad Request ) ) 1

}}

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/PluginOverlayAPI&oldid=457733"