Security/Reviews/CrossOriginEventSource

From MozillaWiki
Jump to navigation Jump to search

Security Review Pre-Work

We already have support for Server Sent DOM Events. This was done in bug 338583 and security review happened in ServerDomEvents

Overview

The goal of this feature is to allow cross-site pushing of server sent events. For example allowing a bank site to push events that keep you up-to-date with your portfolio, or facebook pushing an event stream containing updates to your wall. http://pulse.mozilla.org/ has also expressed desire to use this to allow other sites to consume and visualize data concerning the mozilla project.

  • bug 664179 Tracks the cross-site support
  • There appears to be agreement between all concerned parties that [dev.w3.org/2006/waf/access-control/ CORS] will be used as security model.

Threats

The threats are the same as for cross-site XMLHttpRequest.

  • Sites might share data without first checking with the user that this is ok.
  • Sites might accidentally share data with third party sites while not intending to do so.
  • The data can be sniffed while going over the net.

There are lots of mitigations built into CORS which is used as security model

  • Can only opt in on a per-URI basis (though serverside technologies can make this available on a per-site or per-subtree basis)
  • Can't opt in to sharing private data with "the world" without using custom server-side scripting which echos back the "Origin" header in the "Access-Control-Allow-Origin" header.
  • Sharing private data requires setting two explicit headers: "Access-Control-Allow-Origin" and "Access-Control-Allow-Credentials".

Additionally, we're reusing the same code as used for cross-site XMLHttpRequest, cross-site @font-face, CORS-based <img>.

Topics To Discuss During The Review

Please be prepared to discuss the topics listed at ReviewTopics as they relate to your feature / project. Optionally, you may copy the most relevant questions here and answer them before the review, which could speed up the review meeting.

Review comments

Notes and bug numbers will be recorded here. Let's try not to spend too much time on any one topic during the meeting.

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/CrossOriginEventSource&oldid=328451"