Security/Reviews/Gaia/InterAppCommunicationAPI

Review Details

• Topic: Inter-App Communication API
• Review Date: January, 2014
• Review Lead: Rob Fletcher <rfletcher@mozilla.com> (:omerta)
• Repo:
• Connections: Gene Lian <glian@mozilla.com>, "Fernando Jiménez Moreno" <ferjmoreno@gmail.com>
• Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=876397
• Wiki: https://wiki.mozilla.org/WebAPI/Inter_App_Communication_Alt_proposal

Overview

The Inter-App Communication API will allow apps to communicate in a publisher/subscriber model.

Apps will register for communication in their manifest file, defining specific restrictions and details relating to the communications desired. An application can setup to send communications and/or handle communications.

Currently, only certified apps are allowed to do connections, but there are plans to open them up in the future.

Source Code

Gaia

• shared/js/iac_handler.js - handles IAC messages
• shared/js/fxa_iac_client.js - Firefox Accounts IAC client

Gecko

• dom/apps/src/Webapps.js - defines connect() and getConnections()
• dom/apps/src/Webapps.jsm - process manifest file for new ‘connections’
• dom/apps/src/InterAppComm.cpp
• dom/apps/src/InterAppCommService.js
  • parent process, does checking of installOrigin, manifestURLs, and minimumAcccessLevel, main file for API
• dom/apps/src/InterAppConnection.js - child process, InterAppConnection object
• dom/apps/src/InterAppMessagePort.js - child process, InterAppMessagePort object

WebIDL

• dom/webidl/InterAppConnection.webidl - MozInterAppConnection
• dom/webidl/InterAppConnectionRequest.webidl - MozInterAppConnectionRequest
• dom/webidl/MozInterAppMessageEvent.webidl - MozInterAppMessageEvent
• dom/webidl/InterAppMessagePort.webidl - MozInterAppMessagePort

= IDL

• dom/interfaces/apps/nsIDOMApplicationRegistry.idl - registers connect() and getConnections()
• dom/interfaces/apps/nsIInterAppCommService.idl - nsIInterAppCommService

Security Features

manifest ‘rules’

minimumAccessLevel

Defines a ‘minimum’ application type level: web, privileged, or certified. Defaults to ‘web’.

installOrigins

A ist of install origins from where subscriber apps should have been installed. Since certified apps has not a valid install origin, these constraint does not apply to them.

manifestURLs

Can be used to set specific subscribers by a list of manifestURLs.

Concerns

• http://mxr.mozilla.org/mozilla-central/source/b2g/chrome/content/shell.js#748
  • I think we can control ‘keyword’ and this looks like its chrome code, is this one of those chrome/content bypasses?
• I think a lot of this just needs to be put through manual testing.
• http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/InterAppCommService.js#349
  • does checking for ‘security’ things. It uses 2 fields each time. ex. aSubAppManifestURL and aPubAppManifestURL. Can i set one of those on my app and ‘bypass’ these tests

manifest

• The installOrigins field inside manifest file limits communications origins. This needs to be tested
  • also, them seem to just be a domain name, are we not doing port, domain, protocol along with app id?