Open Bug 712834 Opened 13 years ago Updated 5 months ago

use nsIPermissionManager for add-ons sync allowed sites

Categories

(Firefox :: Sync, defect)

Product:
Firefox
Component:
Sync
Type:
defect

Tracking

()

People

(Reporter: mconnor, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [sync:addons]) 

http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/XPIProvider.jsm#3079 is an example of this.  I'm not sure if that's the right thing to call, but it's effectively the set of prefs/per-site settings I think we should respect here.

cc-ing fligtar, I think this lets us get beyond AMO in a relatively sane and user-determined way.  thoughts?
Regarding the dependency on bug 470699, we'd need to be careful about syncing the whitelist. One of the reasons we currently limit syncing to addons.mozilla.org is we can trust that add-ons there aren't malicious. If we start allowing Sync to install add-ons from any source where that source can be defined by a synced entity, we open up an attack vector where Sync can be used to propagate malicious extensions. If the whitelist is not synchronized, an attacker (or dumb user) must first compromise the machine receiving the synced data.

This is called out explicitly at https://hg.mozilla.org/services/services-central/file/b573033b92b6/browser/app/profile/firefox.js#l941
gps: I think what you're saying is "malicious add-ons can add themselves to the whitelist", right?
OS: Mac OS X → All
Hardware: x86 → All
rnewman: that's effectively what I'm saying, yes. Put another way, if a single device is compromised, Sync's role as a vector to compromise other devices needs to be carefully considered.
This method seems fine, but it seems like users would have to go to a lot of effort for each extension they want to sync.

I assumed the reason we currently sync AMO-only add-ons is because we can easily re-download the file, whereas we don't know how to get the .xpi installed from other sites without either uploading and syncing the actual file or hoping there's an updateURL that we can get it from. If that's the only reason and we have a plan to tackle that, I think we should sync all add-ons.

If there are other reasons, we should list them all so we know what we're trying to protect against. Here's what I can think of:

* [gps] a user getting infected with poorly-written malware and it syncing to other computers (I say poorly written because our limitations wouldn't stop anyone who knew what they were doing)

* encouraging users and devs to use AMO because of security, quality, compatibility, privacy, performance, etc. wins that are often missing from non-reviewed add-ons

Hmm, that's all I've got right now. Are there other concerns we're worried about with syncing all add-ons?
Whiteboard: [sync:addons]
Component: Firefox Sync: Backend → Sync
Product: Cloud Services → Firefox
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.