Closed
Bug 1423510
Opened 7 years ago
Closed 7 years ago
Hybrid Telemetry Security Review
Categories
(Firefox Graveyard :: Security: Review Requests, enhancement)
Firefox Graveyard
Security: Review Requests
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pauljt, Assigned: pauljt)
References
Details
Project name: Hybrid Content Telemetry Work description: Security Review for this project. The project itself is about adding an API so that (hosted) semi-privileged web pages can record Telemetry through Firefox. We designed the API (bug 1417471) and started with the implementation (bug 1417473).
|
Assignee | |
Comment 1•7 years ago
|
||
I've completed this review. Overall looks pretty similar to uitours (for better or worse). I didn't see any security issues, though Im a little nervous about there not being any validation/sanitization on the data coming from the page. Findings: Mostly looks ok, seems to be basically the same as uitours. Could maybe improve the security of the API a little: - Don’t inject the API into every page (not a security issue but don’t pollute the DOM)? - Don’t listen for the CustomEvent on every page? - Using a permission only raises an issue for web extensions - Web Extensions often have permission to inject script into ALL urls - This means web extensions can inject spurious data into our telemetry We still need to know what we are doing with uitours and web extensions though, so we just will have to do the same thing. Working notes: https://docs.google.com/document/d/14CsuQyBlH7ABDbiGBmQ3W5pfQwz4UWkQuNLdjZ7Df44/edit
|
|
Assignee | |
Comment 2•7 years ago
|
||
PS One thing I do very much like that we didnt just jam this onto the uitours permission :)
|
||
Comment 3•7 years ago
|
||
(In reply to Paul Theriault [:pauljt] from comment #1) > I've completed this review. Overall looks pretty similar to uitours (for > better or worse). I didn't see any security issues, though Im a little > nervous about there not being any validation/sanitization on the data coming > from the page. Thank you very much for the in-depth and timely review Paul, this is much appreciated! Both Gijs (front-end part) and :chutten (Telemetry bits) will take care of reviewing the code for the modules they own. Regarding the sanitization/validation, I intentionally delegated that to the c++ Telemetry core which already performs these when the API is called from JS-land: https://searchfox.org/mozilla-central/rev/2e08acdf8862e68b13166970e17809a3b5d6a555/toolkit/components/telemetry/TelemetryEvent.cpp#761-840 The idea was to avoid replicating the same checks, as we already have them in one place (along with test-coverage). I'm happy to change this if it poses a security threat though (less happy about duplicating the test coverage :D). > Findings: > > Mostly looks ok, seems to be basically the same as uitours. Could maybe > improve the security of the API a little: > - Don’t inject the API into every page (not a security issue but don’t > pollute the DOM)? > - Don’t listen for the CustomEvent on every page? These make sense. I'll reach out to Gijs to see how it can be done. > - Using a permission only raises an issue for web extensions > - Web Extensions often have permission to inject script into ALL urls > - This means web extensions can inject spurious data into our telemetry I wonder if there's a way to detect this behaviour. We should have server-side metrics that should alert us if anything too weird happens.
|
|
||
Comment 4•7 years ago
|
||
I've updated the patch in the main implementation bug to account to implement the |canUpload| method, as described in the security notes. Do you or :freddyb need to take another look at the code (https://reviewboard.mozilla.org/r/204188/diff/1-2/)? I've filed bug 1423600 to port the API to the new security infrastructure/API once it's available.
Flags: needinfo?(ptheriault)
|
|
Assignee | |
Comment 5•7 years ago
|
||
> I wonder if there's a way to detect this behaviour. We should have > server-side metrics that should alert us if anything too weird happens. See also bug 1415644. We will likely prevent access here. (In reply to Alessio Placitelli [:Dexter] from comment #4) > I've updated the patch in the main implementation bug to account to > implement the |canUpload| method, as described in the security notes. Do you > or :freddyb need to take another look at the code > (https://reviewboard.mozilla.org/r/204188/diff/1-2/)? > > I've filed bug 1423600 to port the API to the new security > infrastructure/API once it's available. Nothing more from my side.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → FIXED
|
|
Assignee | |
Comment 6•6 years ago
|
||
For posterity, not that the permission has been added in bug 1444114
|
|
Assignee | |
Comment 7•6 years ago
|
||
Er, For posterity, NOTE that the permission has been added in bug 1444114
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → ptheriault
|
||
Updated•4 years ago
|
Product: Firefox → Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•