MozillaWiki

User:Dmose:Protocol Handler Security Review

Revision as of 15:31, 25 October 2007 by Dmose (talk | contribs) (→‎Caveats / What We've Tried Before)

Status

Feature tracking bug

Has a design review been completed?

The design has been reviewed incrementally in bug 380415, its dependent bugs, and ongoing discussions in and newsgroups. A single, comprehensive, high-level review has not happened, and is not currently planned (other than this security review).

When do you anticipate the feature landing

We were feature-complete in mid-September. Bug-fixing is ongoing.

Any relevant status comments for the feature can be placed here.

Overview

It is now possible to have URIs with protocol schemes that are not handled internally (e.g. webcal:, mailto:, news:, etc.) handed off to web-based handlers in addition to desktop applications.

Use Cases

  • Users who primarily use web mail should be able to click mailto: links and have them do the right thing (open their webmail applications in compose mode) rather than opening a compose window in a mail app that they don't use (e.g. Outlook Express).
  • Users who primarily use web calendars should be able to click webcal: links and have them subscribe to the ICS calendars in question.
  • (etc.)

Requirements

  • Support web-based protocol handlers in the backend bug 380415
  • Handlers should be selectable/configure from a dialog similar to the unknown content type handler for MIME types.
  • Allow web sites to register new content handlers, including prompting user whether or not add requested protocol handlers
  • Preferences API should exist for managing configured content handlers
  • Be able to inject possible handlers into new and existing profiles

UI Design Documentation

use cases and expected user knowledge (terminology, metaphors, etc)

design mockups (of whatever fidelity is easiest)

ContentHandling:User_Interface

links to relevant user data, bugs, reports, examples, etc

To actually see the registration in action, go to [1] and select one of the web mail handlers. After you've accepted the registration, click the test link. It should bring up the compose window for the webmail app, though the header fields will not (at the moment) be populated correctly. Another example is to click on a webcal: link in a nightly; this will take you to a test handler that we have set up.

Design Impact

Security and Privacy

  • What security issues do you address in your project?
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
    • mime-types.rdf corruption / missing
    • application pref file (firefox.js or equivalent) missing
    • user prefs.js missing
    • ISP DNS expiration and pounce
    • non-SSL handlers
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
    • Assumptions
    • Capabilities
    • Potential Risks
      • Phishy? (Encourages in-browser auth?)
      • The HTML5 spec has a list of possible security issues that should be gone through
      • Uses of web-handled URIs in contexts other than in href attribute of a element
        • object
        • embed
        • iframe (no status bar; even phishier than usual?)
        • script
        • img
        • others?
      • old warning dialog has been removed:
          • if it's unacceptably risky, we shouldn't be doing it at all
          • unclear how much a warning dialog helps anyway
      • handler ISP DNS expiration and pounce
      • non-SSL handlers in combination with DNS MiTM attacks (eg bogus Wifi APs)
    • Misc
      • spec: "should NEVER send https URIs to third-party sites"; need to design fallback behavior or change. todo: ask hixie what this protects
      • how do we handle URI leakage as per HTML5 4.10.2.1. todo: does fx2 handle this? sounds hard (impossible?) to fix
      • credential leakage spec verbiage sounds unimplementable
      • figure out what URI schemes are acceptable for both source and target

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
  • Does it interoperate with a web service? How will it do so?
  • Explain the significant file formats, names, syntax, and semantics.
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
  • Does it change any existing interfaces?

Web Compatibility

  • Does the feature had any impact on Web compatibility?

Performance

  • How will the project contribute (positively or negatively) to "perceived performance"?
  • What are the performance goals of the project? How were they evaluated? What is the test or reference platform and baseline results?
  • Will it require large files/databases (for example, browsing history)?

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

l10n and a11y

  • are any strings being changed or added?
  • are all UI elements available through accessibility technologies?

Installation, Upgrade/Downgrade/Sidegrade, and platform requirements

  • Does it equally support all Tier-1 platforms?
  • Does is have a hardware requirement (or increase minimum requirements)?
  • Does it require changes to the installer?
  • Does it impact updates?
  • list the expected behavior of this feature/function when Firefox is upgraded to a newer minor release, downgraded by installation of an earlier revision, or re-installed (same version)

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?

Yes. In the case of accepting protocol handlers being registered for web-sites, there is a notification bar. The new protocol handling dialog offers choices as needed for URI schemes whose handling is not already defaulted. There is preferences UI to manage how particular schemes are handled at any time. There is not, and perhaps should be, any way to remove already accepted web-handlers from the preferences and dialog.

  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]

If MOZ_RDF is not defined, web-based protocol handlers will currently fail. There are no options specific to this feature.

  • What ranges for the tunable are appropriate? How are they determined?

There are currently no real tunables. There is a [wanted-firefox3] bug for experimenting with giving the dialog / dropdowns some MRU list love, which would probably introduce a few tunables.

  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

None currently.

Relationships to other projects - are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?

We are implementing the proposal from the WhatWG HTML5 spec, so we depend on them. However, as the first known implementor, we're feeding back comments to their mailing list in an ongoing way.

  • Are you updating, copying or changing functional areas maintained by other groups?

No.

Documentation

  • Do built-in Help pages need modified?

A coin toss. There was no documentation for the old protocol handler dialog, but that one was pretty simple. We could potentially add some, but even the new dialog isn't terribly complex.

  • Documentation for developer.mozilla.org?

Basic documentation for navigator.registerProtocolHandler exists. We hope to ask the evangelism team for some cycles to put together a small tutorial on building an example server-side protocol handler.

Other

any other implementation or design related documentation

Discussion & Implications

Caveats / What We've Tried Before

  • The old protocol handling dialog was a simple nsIPrompt which only allowed things to be handed off to the system default. The new dialog is essentially a cleanup and evolution of unknown content-type handler dialog for MIME-types. In a future version, the plan is to use this new dialog to replace that old one too.
  • In bug 380415, the backend changes were originally done as a redirect on the nsExtProtocolChannel after AsyncOpen was called. This had some structural problems, so the code got pushed into the nsHandlerInfo::LaunchWithWebHandler where it switched to simply creating a new channel and sending it to the URI loader. Further refactoring pushed this into nsIWebHandlerApp.launchWithURI where it really belongs.

References

The MIME Edit addon has some example UI that is more complete than the Firefox 2 UI, though not particularly friendly to non-technical users.

WhatWG Web Applications spec

API request from an extension author for dialog extensibility

Retrieved from "https://wiki.allizom.org/index.php?title=User:Dmose:Protocol_Handler_Security_Review&oldid=72006"