Closed Bug 1390035 Opened 7 years ago Closed 6 years ago

Security Review: Allow web extensions to access reader pages

Categories

(Firefox Graveyard :: Security: Review Requests, enhancement)

Product:
Firefox Graveyard
Component:
Security: Review Requests
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(firefox57 wontfix)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox57 --- wontfix

People

(Reporter: pauljt, Assigned: cr)

References

(Blocks 1 open bug)

Details

Bob is about to start work on 1371786 so we should try to get this review going.

First thing is we need to answer the questions I raise in https://bugzilla.mozilla.org/show_bug.cgi?id=1371786#c1
Summary: Allow web extensions to access reader pages → Security Review: Allow web extensions to access reader pages
Assignee: nobody → cr
This review is meant to cover the case of running content scripts on about:reader pages (which is bug 1371786 and is already marked as blocked). Can it please be extended to also cover the case of about:reader for bug 1371793, which is about being able to create a new tab via tabs.create() for an about page?
Blocks: 1371793
Just checking on here to see if any progress has been made on this review. Thanks.
Note that bug 1408993 has changed slightly, and I'm not sure what impact, if any, that will have on the security review. Now, instead of allowing users to create new tabs with an "about:reader" URL, we are allowing users to specify a openInReaderMode option, which will cause us to open the given url after prepending it with "about:reader?url=".
Bob, no progress yet as this was competing with higher priority work.

Please point me to the relevant source code.
I've done an initial review here. Detailed notes are here: https://docs.google.com/document/d/1zux2CBtLun6Lav_ua8evDPyDAq3JZakyl_XRIyjGJoA/edit#

There's two main items that I think need follow-up:
 1. we need to figure out the security model for this API
 2. We need someone more familiar with reader mode to review the potential impact. I didn't find anything bad, but there is attack surface, and I dont know readermode or our front-end code well enough to be confident this is safe.

1. Security Model
We need to figure out how this permission will work with the Host Permission model for web extension. Consider that a web extension with access to inject script into about:reader, has permission to inject into a page, that can read the contents of ANY http or https page. (ie extensions loads target page in reader mode, then injects script into about:reader). So basically I think we should treat about:reader as dangerous as <all_urls> since it is effectively that.

2. Reviewing the impact of scripting in reader mode. 
I've tried to have a look at this, and I tried to achieve various forms of privilege esclation with a malicious add-on. (I was basically simulating this though, just using devtools). The key things i noted were that:
 - about:reader treats other about pages( incuding about:reader itself)  as cross-origin (good)
 - about:reader can embed iframes for many about: pages which a regular web page can not access. They are cross-oring, but script in about:reader could postMessage to it.
 - about:reader seems to have a narrow channel to communicate with chrome the AboutReaderListener in tab-content.js [1]. The events don't take many args and these I dont see as much of a threat. But Im not sure if this is the ONLY communication channel between ReaderMode content and privileged code. 



[1] http://searchfox.org/mozilla-central/source/browser/base/content/tab-content.js#247
See also 1420507
This review is done. There are still unresolved security questoins about this API, but the discussion continues in the bug itself (1371786)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.