Closed Bug 1059194 Opened 10 years ago Closed 10 years ago

Installation of Trusted Hosted Apps

Categories

(Core Graveyard :: DOM: Apps, defect)

Product:
Core Graveyard
Component:
DOM: Apps
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox33 wontfix, firefox34 fixed, firefox35 fixed, b2g-v2.1 fixed, b2g-v2.2 fixed)

Status:
RESOLVED FIXED
Milestone:
2.1 S5 (26sep)
Tracking Flags:
Tracking Status
firefox33 --- wontfix
firefox34 --- fixed
firefox35 --- fixed
b2g-v2.1 --- fixed
b2g-v2.2 --- fixed

People

(Reporter: mattias.ostergren, Assigned: vlatko.markovic)

References

Details

Attachments

(5 files, 6 obsolete files)

Bug_1059194-Trusted-Hosted-Apps-part-3-Add-support-i3.patch
2.03 KB, patch
fabrice
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
basic tests
12.94 KB, patch
myk
: review+
sicking
: approval-mozilla-aurora+
Details | Diff | Splinter Review
0001-Bug-1059194-Trusted-Hosted-Apps-part-1-App-installat.patch
32.04 KB, patch
fabrice
: review+
sicking
: approval-mozilla-aurora+
Details | Diff | Splinter Review
0002-Bug-1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch
8.95 KB, patch
sicking
: review+
sicking
: approval-mozilla-aurora+
Details | Diff | Splinter Review
0003-CSP-infrastructure-frame-src.patch
1.15 KB, patch
sicking
: review+
sicking
: approval-mozilla-aurora+
Details | Diff | Splinter Review
As opposed from the original proposal to implement a new application type for trusted hosted apps, instead introduce new application kind: 'hosted-trusted'. To simplify identification of the app, keep 'trusted' keyword in the manifest type element, appStatus and permission table, but implement behavior through application 'kind'. The benefit is to: 1. limit the code footprint 2. avoid the need to introduce routine for gecko updates from 2.0 to later versions, as application registry will continue to work as is.
Assignee: nobody → vlatko.markovic
Blocks: 1016421
Whiteboard: [2.1-feature-qa+]
Target Milestone: --- → 2.1 S4 (12sep)
Whiteboard: [2.1-feature-qa+]
Attachment #8480650 - Flags: review?(fabrice)
Attachment #8480651 - Flags: review?(fabrice)
Attachment #8480652 - Flags: review?(fabrice)
Comment on attachment 8480650 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-1-App-installat.patch Review of attachment 8480650 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/Webapps.jsm @@ +1674,5 @@ > > startOfflineCacheDownload: function(aManifest, aApp, aProfileDir, aIsUpdate) { > + if (aApp.kind !== this.kHostedAppcache && > + aApp.kind !== this.kTrustedHosted && > + aManifest.appcache_path) { Why do we need to check for appcache_path here?
Attachment #8480650 - Flags: feedback?(fabrice)
(In reply to Vlatko Markovic from comment #4) > Comment on attachment 8480650 [details] [diff] [review] > Bug_1059194-Trusted-Hosted-Apps-part-1-App-installat.patch > > Review of attachment 8480650 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/apps/src/Webapps.jsm > @@ +1674,5 @@ > > > > startOfflineCacheDownload: function(aManifest, aApp, aProfileDir, aIsUpdate) { > > + if (aApp.kind !== this.kHostedAppcache && > > + aApp.kind !== this.kTrustedHosted && > > + aManifest.appcache_path) { > > Why do we need to check for appcache_path here? We want to enter this code path only if we have an appcache to download, but the test app I used when writing these patches didn't have one. So I added this check to not error out. If we are confident that THA will always use appcache, we should: - check that we have an appcache before setting kind to kTrustedHosted. - remove these extra checks.
Attachment #8480650 - Flags: feedback?(fabrice)
Attachment #8480652 - Flags: review?(fabrice) → review+
Also, we absolutely need tests. Vlatko, you'll need try server access for that, I filed bug Bug 1061071 .
Included default permission table.
Attachment #8483428 - Flags: review?(fabrice)
Attachment #8480650 - Attachment is obsolete: true
Attachment #8480650 - Flags: review?(fabrice)
Rebase.
Attachment #8480651 - Attachment is obsolete: true
Attachment #8480651 - Flags: review?(fabrice)
Attachment #8483430 - Flags: review?(fabrice)
Attachment #8483428 - Flags: review?(fabrice) → review+
Comment on attachment 8483430 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch Review of attachment 8483430 [details] [diff] [review]: ----------------------------------------------------------------- Sid, can you check the nsDocument.cpp changes?
Attachment #8483430 - Flags: review?(sstamm)
Attachment #8483430 - Flags: review?(fabrice)
Attachment #8483430 - Flags: review+
Comment on attachment 8483430 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch Review of attachment 8483430 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/AppsUtils.jsm @@ +189,5 @@ > + ? Services.prefs.getCharPref("security.apps.trusted.CSP.default") > + : ""; > + break; > + } > + } catch(e) {} If there's an exception reading default prefs we should default to a strict policy rather than let the phone fail open. Personally I'd go with "default-src 'none'" so people would have to debug the phone, but I acknowledge that's likely unacceptable. I could live with return "default-src 'self'; object-src 'none'"; or even the more generous (least priv'd type) return "default-src *; script-src 'self'; object-src 'none'; style-src 'self'";
Attachment #8483430 - Flags: feedback-
Comment on attachment 8483430 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch Review of attachment 8483430 [details] [diff] [review]: ----------------------------------------------------------------- nsDocument.cpp changes look good. I agree with dveditz that we should make any pref-reading failures really obvious by shutting things down or using a very strict policy so that anyone who breaks those prefs has to notice in testing. r=me on the nsDocument.cpp stuff only.
Attachment #8483430 - Flags: review?(sstamm) → review+
needinfo? Jonas for his call on comment 10.
Flags: needinfo?(jonas)
Comment on attachment 8483430 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch Review of attachment 8483430 [details] [diff] [review]: ----------------------------------------------------------------- r=me with those things fixed. ::: b2g/app/b2g.js @@ +392,5 @@ > // $ adb shell start > pref("browser.dom.window.dump.enabled", false); > > +// Default Content Security Policy to apply to trusted, privileged and certified apps > +pref("security.apps.trusted.CSP.default", "default-src *; object-src 'none'"); Dan/Sid: Will "default-src *" ensure that inline and evaled script/CSS is disabled? Or do we need to use: "default-src *; object-src 'none'; script-src *; style-src *" ::: dom/apps/src/AppsUtils.jsm @@ +189,5 @@ > + ? Services.prefs.getCharPref("security.apps.trusted.CSP.default") > + : ""; > + break; > + } > + } catch(e) {} I don't feel strongly, but adding return "default-src 'self'; object-src 'none'"; here seems better. ::: dom/interfaces/apps/nsIAppsService.idl @@ +53,5 @@ > + > + /** > + * Returns the manifest CSP associated to this localId. > + */ > + DOMString getManifestCSPByLocalId(in unsigned long localId); Switch order between these two so that they match the order in the source.
Attachment #8483430 - Flags: review+
Comment on attachment 8483428 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-1-App-installat.patch Review of attachment 8483428 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/Webapps.jsm @@ +395,5 @@ > + let kind = this.kHosted; > + if (aManifest.type == "trusted") { > + kind = this.kTrustedHosted; > + } else if (aManifest.appcache_path) { > + kind = kHostedAppcache; this.kHostedAppcache
(In reply to Jonas Sicking (:sicking) from comment #13) > Dan/Sid: Will "default-src *" ensure that inline and evaled script/CSS is > disabled? Or do we need to use: > > "default-src *; object-src 'none'; script-src *; style-src *" According to the spec, when "script-src" is not present but "default-src" is, the value of the default-src directive is what is used as the value of script-src. That's a long way of saying that "default-src *" should be sufficient to prohibit inline/eval.
Regression fix.
Attachment #8487090 - Flags: review?(jonas)
Attachment #8487090 - Flags: review?(fabrice)
Fixes comments.
Attachment #8487092 - Flags: review?(jonas)
Attachment #8487092 - Flags: review?(fabrice)
Attachment #8487092 - Flags: review?(dveditz)
(In reply to Zoran Jovanovic from comment #16) > Created attachment 8487090 [details] [diff] [review] > 0001-Bug-1059194-Trusted-Hosted-Apps-part-1-App-installat.patch > > Regression fix. Obsoletes: Bug_1059194-Trusted-Hosted-Apps-part-1-App-installat.patch
(In reply to Zoran Jovanovic from comment #17) > Created attachment 8487092 [details] [diff] [review] > 0002-Bug-1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch > > Fixes comments. Obsoletes: Bug_1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch
Attachment #8487090 - Flags: review?(fabrice) → review+
Attachment #8487092 - Flags: review?(fabrice) → review+
Attached patch basic testsSplinter Review
Myk, I just added the "trusted" app case to our install/update tests for non-packaged apps. Trusted Hosted Apps are expected to use appcache for offline support it's almost a copy/paste of the appcache case, with changes to the way we load the js code into the iframe to check app launch because it's not possible to inline it anymore with the THA csp.
Attachment #8488295 - Flags: review?(myk)
Comment on attachment 8488295 [details] [diff] [review] basic tests Review of attachment 8488295 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/tests/file_app.sjs @@ +73,5 @@ > > + // Check if we ask for the js script used in file_app.template.html > + if ("script" in query) { > + response.write(makeResource(gScriptTemplatePath, version, apptype, role)); > + return; Nit: add one more space of indentation to these two lines. ::: dom/apps/tests/test_app_update.html @@ +193,5 @@ > + request = navigator.mozApps.mgmt.uninstall(app); > + request.onerror = mozAppsError; > + request.onsuccess = continueTest; > + yield undefined; > + info("Uninstalled app"); Nit: I would make this now read "Uninstalled hosted app".
Attachment #8488295 - Flags: review?(myk) → review+
Rebase on master.
Attachment #8487090 - Attachment is obsolete: true
Attachment #8487090 - Flags: review?(jonas)
Attachment #8488716 - Flags: review?(jonas)
Attachment #8488716 - Flags: review?(fabrice)
Attachment #8487092 - Attachment is obsolete: true
Attachment #8487092 - Flags: review?(jonas)
Attachment #8487092 - Flags: review?(dveditz)
Attachment #8488718 - Flags: review?(jonas)
Attachment #8488718 - Flags: review?(fabrice)
Attachment #8483428 - Attachment is obsolete: true
Attachment #8483430 - Attachment is obsolete: true
I'm down to M1 failures on b2g desktop to figure out: https://tbpl.mozilla.org/?tree=Try&rev=2b61fb65e61a
Fixed the M1 locally, let's see what try says: https://tbpl.mozilla.org/?tree=Try&rev=003e92fa9614
(In reply to Fabrice Desré [:fabrice] from comment #25) > Fixed the M1 locally, let's see what try says: > https://tbpl.mozilla.org/?tree=Try&rev=003e92fa9614 Dan made a good comment in bug 1059202 about default csp. We should add "frame-src 'none'" to default for THA. Can I upload the new patch? I saw you made some changes to default csp in b2g.js to make tests work...
(In reply to Zoran Jovanovic from comment #26) > Dan made a good comment in bug 1059202 about default csp. We should add > "frame-src 'none'" to default for THA. Can I upload the new patch? I saw you > made some changes to default csp in b2g.js to make tests work... I would rather like an interdiff.
Attachment #8489495 - Flags: review?(jonas)
Attachment #8489495 - Flags: review?(fabrice)
Comment on attachment 8488716 [details] [diff] [review] 0001-Bug-1059194-Trusted-Hosted-Apps-part-1-App-installat.patch Review of attachment 8488716 [details] [diff] [review]: ----------------------------------------------------------------- Fabrice needs to look at this one as he knows the code.
Attachment #8488716 - Flags: review?(jonas)
Comment on attachment 8488718 [details] [diff] [review] 0002-Bug-1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch Review of attachment 8488718 [details] [diff] [review]: ----------------------------------------------------------------- I can cover this one. Fabrice, feel free to review this one too if you want to though.
Attachment #8488718 - Flags: review?(jonas)
Attachment #8488718 - Flags: review?(fabrice)
Attachment #8488718 - Flags: review+
Comment on attachment 8489495 [details] [diff] [review] 0003-CSP-infrastructure-frame-src.patch Review of attachment 8489495 [details] [diff] [review]: ----------------------------------------------------------------- Like I said elsewhere, I don't think this is strictly needed from a security perspective. However if you're not worried about needing to iframe other websites (like ads) then this is certainly safer.
Attachment #8489495 - Flags: review?(jonas)
Attachment #8489495 - Flags: review?(fabrice)
Attachment #8489495 - Flags: review+
Attachment #8488716 - Flags: review?(fabrice) → review+
Target Milestone: 2.1 S4 (12sep) → 2.1 S5 (26sep)
Depends on: 1066362
Comment on attachment 8480652 [details] [diff] [review] Bug_1059194-Trusted-Hosted-Apps-part-3-Add-support-i3.patch Review of attachment 8480652 [details] [diff] [review]: ----------------------------------------------------------------- This is a Tako feature that needs to land on 2.1. Risk is moderate/low as we have test coverage.
Attachment #8480652 - Flags: approval-mozilla-aurora?
Attachment #8480652 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8488295 [details] [diff] [review] basic tests got a=bajaj over email
Attachment #8488295 - Flags: approval-mozilla-aurora+
Comment on attachment 8488716 [details] [diff] [review] 0001-Bug-1059194-Trusted-Hosted-Apps-part-1-App-installat.patch got a=bajaj over email
Attachment #8488716 - Flags: approval-mozilla-aurora+
Comment on attachment 8488718 [details] [diff] [review] 0002-Bug-1059194-Trusted-Hosted-Apps-part-2-CSP-infrastru.patch got a=bajaj over email
Attachment #8488718 - Flags: approval-mozilla-aurora+
Comment on attachment 8489495 [details] [diff] [review] 0003-CSP-infrastructure-frame-src.patch got a=bajaj over email
Attachment #8489495 - Flags: approval-mozilla-aurora+
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: