Closed
Bug 1059198
Opened 10 years ago
Closed 10 years ago
Permission table update for Trusted Hosted Apps
Categories
(Core Graveyard :: DOM: Apps, defect)
Tracking
(firefox33 wontfix, firefox34 fixed, firefox35 fixed, b2g-v2.1 fixed, b2g-v2.2 fixed)
RESOLVED
FIXED
2.1 S5 (26sep)
People
(Reporter: mattias.ostergren, Assigned: vlatko.markovic)
References
Details
Attachments
(1 file, 3 obsolete files)
|
3.04 KB,
patch
|
sicking
:
review+
sicking
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
No description provided.
|
Reporter | |
Updated•10 years ago
|
Assignee: nobody → vlatko.markovic
Depends on: 1016421
Whiteboard: [2.1-feature-qa+]
Target Milestone: --- → 2.1 S4 (12sep)
|
|
Reporter | |
Updated•10 years ago
|
|
||
Updated•10 years ago
|
Whiteboard: [2.1-feature-qa+]
|
Assignee | |
Comment 1•10 years ago
|
||
|
|
Assignee | |
Comment 2•10 years ago
|
||
|
||
Comment 3•10 years ago
|
||
Tagging Paul for a quick sec-review glance on the trusted permissions that differ from hosted apps
Flags: sec-review?(ptheriault)
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8480654 [details] [diff] [review] Bug_1059198-Permission-table-update-for-Trusted-Host_pt2.patch Review of attachment 8480654 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/PermissionsTable.jsm @@ +160,5 @@ > certified: ALLOW_ACTION > }, > settings: { > app: DENY_ACTION, > + trusted: ALLOW_ACTION, Settings are super sensitive, in part because there's absolutely no granularity. We don't allow privileged apps to read or write these, and certified apps that do get a careful look. Why do trusted apps need it? It is insanely risky to open this to a website, even given the CA pinning we plan for THA. We should instead enumerate your needs for it and come up with a different, more limited, API that does only the bits you need.
Attachment #8480654 -
Flags: feedback-
|
|
||
Updated•10 years ago
|
Flags: needinfo?(jonas)
Attachment #8480653 -
Flags: review+
Comment on attachment 8480654 [details] [diff] [review] Bug_1059198-Permission-table-update-for-Trusted-Host_pt2.patch Review of attachment 8480654 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/PermissionsTable.jsm @@ +105,5 @@ > access: ["read", "write", "create"] > }, > "device-storage:sdcard": { > app: DENY_ACTION, > + trusted: PROMPT_ACTION, Why do you need this? Isn't pictures/videos/music isn't enough? That said, I think this doesn't add much risk above what pictures add as that's generally the most sensitive content. But it's good if we can avoid it. @@ +160,5 @@ > certified: ALLOW_ACTION > }, > settings: { > app: DENY_ACTION, > + trusted: ALLOW_ACTION, Yes. This is not ok. Once we add support for individual settings (which recently landed but might still be seeing some regressions) then we can add access to those. But those will be separate from this one. @@ +305,5 @@ > certified: ALLOW_ACTION > }, > "audio-channel-notification": { > app: DENY_ACTION, > + trusted: ALLOW_ACTION, // used with camera shutter Shutter should use "audio-channel-publicnotification", so use that one instead.
Attachment #8480654 -
Flags: review-
|
||
Comment 6•10 years ago
|
||
(In reply to Jonas Sicking (:sicking) from comment #5) > Comment on attachment 8480654 [details] [diff] [review] > Bug_1059198-Permission-table-update-for-Trusted-Host_pt2.patch > > Review of attachment 8480654 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/apps/src/PermissionsTable.jsm > @@ +105,5 @@ > > access: ["read", "write", "create"] > > }, > > "device-storage:sdcard": { > > app: DENY_ACTION, > > + trusted: PROMPT_ACTION, > > Why do you need this? Isn't pictures/videos/music isn't enough? > We'll double check the motivation here. > > @@ +160,5 @@ > > certified: ALLOW_ACTION > > }, > > settings: { > > app: DENY_ACTION, > > + trusted: ALLOW_ACTION, > > Yes. This is not ok. Once we add support for individual settings (which > recently landed but might still be seeing some regressions) then we can add > access to those. But those will be separate from this one. What bug should we look at? 846200 ? How would that work? > > @@ +305,5 @@ > > certified: ALLOW_ACTION > > }, > > "audio-channel-notification": { > > app: DENY_ACTION, > > + trusted: ALLOW_ACTION, // used with camera shutter > > Shutter should use "audio-channel-publicnotification", so use that one > instead. Thanks. Will do.
(In reply to Zoran Jovanovic from comment #6) > What bug should we look at? 846200 ? How would that work? Bug 846200 and bug 900551 added the needed support. Look at attachment 8435452 [details] [diff] [review] for an example of how to use this.
Flags: needinfo?(jonas)
|
|
Assignee | |
Comment 8•10 years ago
|
||
Comment on attachment 8480653 [details] [diff] [review] Bug_1059198-Permission-table-update-for-Trusted-Host_pt1.patch Moved as part of first patch in bug 1059194.
Attachment #8480653 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 9•10 years ago
|
||
Attachment #8480654 -
Attachment is obsolete: true
Attachment #8483431 -
Flags: review?(fabrice)
|
||
Comment 10•10 years ago
|
||
Comment on attachment 8483431 [details] [diff] [review] Bug_1059198-Permission-table-update-for-Trusted-Host.patch Review of attachment 8483431 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/PermissionsTable.jsm @@ +160,5 @@ > certified: ALLOW_ACTION > }, > settings: { > app: DENY_ACTION, > + trusted: ALLOW_ACTION, No, we don't want to grant access to all settings. We'll have to agree on the set of settings and add the relevant permissions for each of them.
Attachment #8483431 -
Flags: review?(fabrice) → review-
Comment on attachment 8483431 [details] [diff] [review] Bug_1059198-Permission-table-update-for-Trusted-Host.patch Review of attachment 8483431 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/apps/src/PermissionsTable.jsm @@ +160,5 @@ > certified: ALLOW_ACTION > }, > settings: { > app: DENY_ACTION, > + trusted: ALLOW_ACTION, This is still not ok. It would be very helpful if you don't re-ask for review until you guys have addressed all previous review comments for that particular patch. Otherwise it's hard to tell which comments that you plan to address in future patches, and which ones you don't agree with and don't intend to address. It also means that we end up re-reviewing code that will be removed or changed in later patches.
|
|
||
Comment 12•10 years ago
|
||
(In reply to Jonas Sicking (:sicking) from comment #7) > (In reply to Zoran Jovanovic from comment #6) > > What bug should we look at? 846200 ? How would that work? > > Bug 846200 and bug 900551 added the needed support. Look at attachment > 8435452 [details] [diff] [review] for an example of how to use this. I don't see it reading the code, what is the granularity here? Can permissions for groups of settings, e.g. settings:audio, be declared as well as individual settings, e.g. settings:audio.volume?
|
|
||
Comment 13•10 years ago
|
||
There's no notion of settings group, this needs to be done one by one.
|
||
Comment 14•10 years ago
|
||
Attached a new patch that doesn't have the settings permission.
Attachment #8487845 -
Flags: review?(fabrice)
|
|
||
Updated•10 years ago
|
Attachment #8487845 -
Flags: review?(jonas)
|
|
||
Updated•10 years ago
|
Attachment #8487845 -
Flags: review?(fabrice)
Attachment #8487845 -
Flags: review?(jonas) → review+
|
||
Updated•10 years ago
|
Target Milestone: 2.1 S4 (12sep) → 2.1 S5 (26sep)
Fabrice? What's needed here? Isn't this ready to land? Note that the patch that I r+'ed is the same as the one you r-'ed, except that it doesn't give access to the "settings" permission.
|
|
||
Comment 16•10 years ago
|
||
(In reply to Jonas Sicking (:sicking) from comment #15) > Fabrice? What's needed here? Isn't this ready to land? Note that the patch > that I r+'ed is the same as the one you r-'ed, except that it doesn't give > access to the "settings" permission. I don't want to land that before we have security checks landed, since that would let any hosted app claim additional permissions by only setting type: "trusted" in their manifest.
Depends on: 1059216
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8483431 -
Attachment is obsolete: true
Comment on attachment 8487845 [details] [diff] [review] Bug_1059198-Permission-table-update-for-Trusted-Host.patch got a=bajaj over email.
Attachment #8487845 -
Flags: approval-mozilla-aurora+
|
||
Comment 19•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/80f3d1a13857
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
||
Comment 20•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/f22aa9158262
status-b2g-v2.1:
--- → fixed
|
|
||
Updated•10 years ago
|
status-b2g-v2.2:
--- → fixed
status-firefox33:
--- → wontfix
status-firefox34:
--- → fixed
status-firefox35:
--- → fixed
THA is gone, removing review
Flags: sec-review?(ptheriault)
|
||
Updated•7 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•