Security/Reviews/B2G/DownloadManager
Overview
DRAFT REVIEW: this review is still in progress
FirefoxOS Review Details
- Topic: Downloads WebAPI & Gaia download functionality
- Review Date: January 2013
- Review Lead: Rob Fletcher
- Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=926955
- Landing: B2G 1.4
Context
Download Manager API allows certified web apps (with a permission) to control downloads on Firefox OS. The API allows web apps (as opposed to chrome privileged content on desktop) control downloads by interacting with Downloads.jsm
Any HTTP response with content type of "application/octet-stream" will cause the file to be downloaded. The files are saved to /sdcard/downloads/ on the filesystem.
Scope
- What parts of Gaia, Gecko and or Gonk are we looking.
The following system components were reviewed:
- Gaia (modified apps)
- System app
- Settings app
- Gecko
- navigator.mozDownloadManager
- interaction with existing Downloads.jsm code
Components
The main file responsible for Download Manager API is:
Relevant Source Code
Gaia
System App
- https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/download/download_manager.js
- https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/download/download_notification.js
Settings App
- https://github.com/mozilla-b2g/gaia/blob/master/apps/settings/js/downloads/download_api_manager.js
- https://github.com/mozilla-b2g/gaia/blob/master/apps/settings/js/downloads/download_item.js
- https://github.com/mozilla-b2g/gaia/blob/master/apps/settings/js/downloads/downloads_list.js
- https://github.com/mozilla-b2g/gaia/blob/master/apps/settings/js/downloads/desktop/desktop_moz_downloads.js
- [https://github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_formatter.js
- [https://github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_helper.js
- [https://github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_store.js
- [https://github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_ui.js
Gecko
WebIDL File for mozDownloadManager
Parent Process
- http://mxr.mozilla.org/mozilla-central/source/dom/downloads/src/DownloadsAPI.jsm
- http://mxr.mozilla.org/mozilla-central/source/toolkit/components/jsdownloads/src/Downloads.jsm
Child Process
- http://mxr.mozilla.org/mozilla-central/source/dom/downloads/src/DownloadsAPI.js
- http://mxr.mozilla.org/mozilla-central/source/dom/downloads/src/DownloadsIPC.jsm
Permissions
Settings and System are only apps with certified ‘downloads’ permission.
"downloads": {
app: DENY_ACTION,
privileged: DENY_ACTION,
certified: ALLOW_ACTION
},
Permission Model
Settings and System are only apps with certified ‘downloads’ permission.
"downloads": {
app: DENY_ACTION,
privileged: DENY_ACTION,
certified: ALLOW_ACTION
},
Review Notes
1. Content/Chrome Segregation
DownloadsAPI is implemented using WebIDL. There was a lot of discussion around what to expose in the case when a page does not have the permission present - see bug 957592 for details.
2. Process Segregation
3. Data validation & Sanitization
4. Denial of Service
Security Risks & Mitigating Controls
- At a minimum, something like Web NFC discussion
- Maybe more in-depth if needed e.g./Security/Reviews/Identity/browserid#Threat_Model BrowserID (persona)
Actions & Recommendations
- List of recommendations, and corresponding bug numbers
- For sensitive bugs, just put bug number (or omit entirely maybe it is really dangerous & obvious)