Closed Bug 302146 Opened 19 years ago Closed 19 years ago

firefox should be sandboxed

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gambarimasu+bugzilla, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Firefox/1.0.6

i did not find any bug resembling this, but i did not know what to search for. 
the closest was a java related thing, and that's unrelated except in spirit.

perhaps i am way off base here.  i cannot really believe that what appears to be
the case really is.  if so, i apologize in advance.

i discovered to my surprise that a download extension (downthemall or flashgot;
doesn't matter which) actually installs a shell script and executes it upon the
user's downloading something.  of course it's not the fault of that extension
that it is able to do arbitrary things.

this was a huge surprise to me because i assumed that ff would naturally be
sandboxed in such a way that an extension could not do arbitrary things to a
computer without the user having given permission.  after all, web site js can't
do much, and you can restrict it further to avoid spoofing attacks.  so why can
extensions do anything?

i assumed that extensions would be sandboxed but plugins would not be.  i
assumed that extensions were js code and data files, and that js was sandboxed.

my assumptions were probably too naive, i will admit.  but why isn't it possible
to have a finer grained security model here?

go ahead and close this out for "user too naive" if you like :-) but i wanted to
start this bug so it exists in the db for other users and developers with
childlike expectations of being able to play in a sandbox.

Reproducible: Always

Steps to Reproduce:
1.  write an extension that 0wns the luser.
*** Bug 302147 has been marked as a duplicate of this bug. ***
"Extensions" extend the browser, they can do anything the browser can do. That
is why only addons.mozilla.org is allowed to install them by default (though
users can add other sites if they know what they're doing), why the prompt has
the title "Software Installation" with an "Install Now" button, and carries
warnings about the dangers of installing untrusted stuff.

Most extensions are written in javascript, but so is Firefox's UI. The
limitations that apply to web content javascript aren't inherent in the language.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
(In reply to comment #2)
> "Extensions" extend the browser, they can do anything the browser can do. That
> is why only addons.mozilla.org is allowed to install them by default (though
> users can add other sites if they know what they're doing), why the prompt has
> the title "Software Installation" with an "Install Now" button, and carries
> warnings about the dangers of installing untrusted stuff.

i get that.  but why must it be so?

> 
> Most extensions are written in javascript, but so is Firefox's UI. The
> limitations that apply to web content javascript aren't inherent in the language.

i get that also, and wonder why extension js can't be almost as sandboxed as web js.

if it is too much work, i understand, but i would be interested in why it is
inherently "invalid".

thanks for your reply.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
>and wonder why extension js can't be almost as sandboxed as web js.
Because Extension must access internal Seamonkey/Firefox functions or they
couldn't work. Do you expect that for example a website can redirect all your
browser Downloads (like the flasgot extension) ?
The flashgot extension must access files on your HDD and that means that it must
have the same access as the browser itself.


marking invalid again.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → INVALID
thanks for your reply.

(In reply to comment #4)
> >and wonder why extension js can't be almost as sandboxed as web js.
> Because Extension must access internal Seamonkey/Firefox functions or they
> couldn't work. Do you expect that for example a website can redirect all your
> browser Downloads (like the flasgot extension) ?

that is why i said "almost".  almost as.  not exactly as.

> The flashgot extension must access files on your HDD and that means that it must
> have the same access as the browser itself.

must it necessarily be able to run arbitrary commands without prior user
assertion or built in default that the program is ok to run?

why is it invalid to request a finer grained security model?

i'm ok with your "invalidating" the bug if the request is obviously invalid, but
it is not clear why it would be.

perhaps you mean "i don't like the idea" instead?  that would also be ok (your
opinion is presumably more valuable than mine because you are presumably a
volunteer developer and i am merely a user), but i'd like it made explicit,
since a finer grained security model, prima facie, could be more secure.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(In reply to comment #5)
> must it necessarily be able to run
> arbitrary commands without prior user
> assertion or built in default that the program
> is ok to run?

Even if an extension is not able to run such
commands, nobody but you take it a sandbox.
Indeed, your request makes nothing secure.

Scripts without these all privileges are called
bookmarklets. Please search it.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.