1073191 - Implement FHR-web signed-content validation

Status: RESOLVED INCOMPLETE

(Core :: Security, defect)

Description

[Benjamin Smedberg]

For the next version of FHR which will include self-support, we want the ability to validate that all of the content for FHR is signed with a special key builtin to Firefox.

This will allow us to expose additional actions on MozSelfSupport.

Technically, we want to be able to identify a particular <browser> element which may be visible (about:healthreport) or hidden (self-support), and have the following guarantees:

* all content loaded into this frame must be from a jar: URI
* the JARs are all validated to be correctly signed before they are used
* the JARs must be signed by a certificate that is builtin to Firefox

If any of the conditions fails, the network load should be stopped.

Additional details:

* There should actually be two or three builtin certificates, so that if one of them is compromised we can revoke it and still have a way to deliver FHR data to Firefox.
* Revocation checking should be enabled.
* once this work lands, the mozSelfSupport API should only be exposed to content within this special set of restrictions. Please let me know if I should file this as a separate bug.

Comment 1

[André Reinald]

Daniel, Benjamin told that you could mentor me on this bug. Please reach to me in any way you find suitable.

Comment 2

[Dana Keeler (she/her) [:keeler]]

I think most of the work here has actually been done (see e.g. the recent content signature work and the signed add-ons work). Is this still relevant?

Comment 3

[Benjamin Smedberg]

No. The new system addon approach means that this is basically irrelevant (we should just get rid of FHR-web and replace it with the addon, but that's separate).