Closed
Bug 971379
Opened 11 years ago
Closed 11 years ago
Allow certified apps to call mozID API outside an event handler
Categories
(Core Graveyard :: Identity, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla30
People
(Reporter: spenrose, Assigned: jedp)
References
Details
Attachments
(1 file, 8 obsolete files)
15.24 KB,
patch
|
ferjm
:
feedback+
|
Details | Diff | Splinter Review |
To prevent malicious scripts from hijacking Persona and FxA functionality, the mozID API is restricted to callbacks triggered by user actions. For certified and privileged apps, remove this restriction so they don't need to play the iframe game. Desired for WMF as part of 1.4
Reporter | ||
Updated•11 years ago
|
Reporter | ||
Comment 1•11 years ago
|
||
GGP, is this still a blocker for you? (Jed assigning to you so we don't lose track of it.)
Assignee: nobody → jparsons
Flags: needinfo?(ggoncalves)
Comment 2•11 years ago
|
||
I believe so. My use case is: if something goes wrong with the Find My Device server, the client will need to re-register, for which the server requires an assertion. Since assertions expire after a short period, I'll need to be able to obtain a fresh one without user interaction (since this is all happening in the System app, no UI involved) when that happens.
Flags: needinfo?(ggoncalves)
Assignee | ||
Comment 3•11 years ago
|
||
Untested! But I think this should do what you want.
:ggp, please give it a try if you have time. I'll test as soon as I can.
Attachment #8381534 -
Flags: feedback?(ggoncalves)
Assignee | ||
Updated•11 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•11 years ago
|
||
oh ****. working in the wrong tree. just a sec.
Assignee | ||
Comment 5•11 years ago
|
||
Ok that's actually a patch this time :)
Attachment #8381534 -
Attachment is obsolete: true
Attachment #8381534 -
Flags: feedback?(ggoncalves)
Attachment #8381539 -
Flags: review?(ggoncalves)
Comment 6•11 years ago
|
||
Comment on attachment 8381539 [details] [diff] [review]
Synthetic events always ok with certified apps
Hi Jed, thank you so much for the patch. Would it be too much work to rebase the patch at bug 947374? I would very much like to test this patch along with that one, if possible.
Attachment #8381539 -
Flags: review?(ggoncalves) → feedback?(ggoncalves)
Assignee | ||
Comment 7•11 years ago
|
||
Sorry if I accidentally flagged that as review! Meant to hit feedback.
Yes - I've rebased bug 947374.
Note that we'll need to declare the assertion audience in watch(), not in request().
This patch applies cleanly over that one.
Thanks for looking!
j
Comment 8•11 years ago
|
||
Comment on attachment 8381539 [details] [diff] [review]
Synthetic events always ok with certified apps
Review of attachment 8381539 [details] [diff] [review]:
-----------------------------------------------------------------
Just tried both patches together.
First of all, for some reason this patch still conflicted with the one at bug 947374 on current m-c (at least when using git bz apply, which downloads the patch and runs it through git am as far as I know). I did manage to apply the patch manually, though. It is also worth noting that both this patch and the other append the same line to services/fxaccounts/tests/moz.build, which causes a build failure.
Anyway, I eventually got to try them, and sadly this didn't work. I called request() from outside an event handler [1], but my onlogin callback never got called, and the console reads "nsDOMIdentity ({e9f59b18-a0b6-b545-84d6-da0d33286544}): request: rejecting non-native event". In case this helps, I also dump()'d aOptions.appStatus to see what was going on, and it seems it was undefined.
1- https://github.com/guilherme-pg/gaia/blob/wimf_fxa/apps/findmydevice/js/findmydevice.js#L137
Attachment #8381539 -
Flags: feedback?(ggoncalves) → feedback-
Assignee | ||
Comment 9•11 years ago
|
||
Thanks for the debug line - that's very helpful.
I'm building with your gaia branch and these patches to track down the problem today. Thanks for your patience.
Assignee | ||
Comment 10•11 years ago
|
||
I am a moron. This should work.
Tested successfully over the patch for Bug 947374, using your wimf_fxa gaia branch.
Attachment #8381539 -
Attachment is obsolete: true
Attachment #8382521 -
Flags: feedback?(ggoncalves)
Assignee | ||
Comment 11•11 years ago
|
||
- Rebased over Bug 947374 attachment 8383328 [details] [diff] [review]
- Added mochitests for installed, packaged, and certified apps
- Refactored error reporting in nsDOMIdentity a bit
:ggp, does this work for you?
spenrose, do you have any feedback?
Thanks!
j
Attachment #8382521 -
Attachment is obsolete: true
Attachment #8382521 -
Flags: feedback?(ggoncalves)
Attachment #8383361 -
Flags: feedback?(spenrose)
Attachment #8383361 -
Flags: feedback?(ggoncalves)
Assignee | ||
Comment 12•11 years ago
|
||
Fixed typos, comments
Attachment #8383361 -
Attachment is obsolete: true
Attachment #8383361 -
Flags: feedback?(spenrose)
Attachment #8383361 -
Flags: feedback?(ggoncalves)
Attachment #8383376 -
Flags: feedback?(spenrose)
Attachment #8383376 -
Flags: feedback?(ggoncalves)
Reporter | ||
Comment 13•11 years ago
|
||
Comment on attachment 8383376 [details] [diff] [review]
Synthetic events always ok with certified and packaged apps
This looks good, thanks so much. Excellent ratio of tests to new code :-)
Attachment #8383376 -
Flags: feedback?(spenrose) → feedback+
Assignee | ||
Comment 14•11 years ago
|
||
Thank you, Sam!
Comment 15•11 years ago
|
||
Comment on attachment 8383376 [details] [diff] [review]
Synthetic events always ok with certified and packaged apps
Review of attachment 8383376 [details] [diff] [review]:
-----------------------------------------------------------------
It's working for me, thanks Jed!
Attachment #8383376 -
Flags: feedback?(ggoncalves) → feedback+
Assignee | ||
Comment 16•11 years ago
|
||
Great news!
Assignee | ||
Comment 17•11 years ago
|
||
Attachment #8383376 -
Attachment is obsolete: true
Assignee | ||
Comment 18•11 years ago
|
||
This patch:
- confirms that packaged and certified apps can request() a firefox accounts assertion outside a user input handler. That is, they can call navigator.mozId.request() at any time, without a user click, because we trust them.
- reconfirms that an installed app cannot use fxa. (Since it gets shut down on watch(), it never gets to call request() anywhere.)
- confirms that a Persona RP cannot call request() when not handling user input.
Thanks for this and all your other reviews lateley, Fernando!
j
Attachment #8385005 -
Attachment is obsolete: true
Attachment #8387834 -
Flags: review?(ferjmoreno)
Comment 19•11 years ago
|
||
Comment on attachment 8387834 [details] [diff] [review]
Synthetic events always ok with certified and packaged apps
Review of attachment 8387834 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM, but I'd like to get an OK from the security team before landing this change.
::: dom/identity/DOMIdentity.jsm
@@ +171,5 @@
> + * Mockable, for testing
> + */
> + _mockIdentityService: null,
> + get IdentityService() {
> + if (this._mockIdentityService) {
nit: trailing whitespace.
@@ +330,5 @@
>
> _watch: function DOMIdentity__watch(message, targetMM) {
> log("DOMIdentity__watch: " + message.id);
> let context = this.newContext(message, targetMM);
> + let service = this.getService(message);
It seems that you don't need this unless you use 'service' in the next line.
::: dom/identity/nsDOMIdentity.js
@@ +194,3 @@
> let message = this.DOMIdentityMessage(aOptions);
>
> + // We permit calling of request() outside of a user input handler is when
s/handler is when/handler when ?
@@ +198,5 @@
> + // which make use of an RP context marked as _internal, or when a certified
> + // or privileged app is calling.
> + if (!aOptions._internal &&
> + this._appStatus !== Ci.nsIPrincipal.APP_STATUS_CERTIFIED &&
> + this._appStatus !== Ci.nsIPrincipal.APP_STATUS_PRIVILEGED) {
I would like to get a verification from the security team that they are ok with this.
@@ +633,5 @@
> // Currently, we only permit certified and privileged apps to use
> // Firefox Accounts.
> + if (aOptions.wantIssuer == "firefox-accounts") {
> + if (this._appStatus !== principal.APP_STATUS_PRIVILEGED &&
> + this._appStatus !== principal.APP_STATUS_CERTIFIED) {
Can you group the condition in one if, please?
::: dom/identity/tests/mochitest/test_syntheticEvents.html
@@ +35,5 @@
> + return Promise.resolve("here~you.go.dude");
> + }
> +};
> +
> +let originalManager = FirefoxAccounts.fxAccountsManager;
You are not restoring the original manager.
::: toolkit/identity/FirefoxAccounts.jsm
@@ +32,5 @@
> }
>
> let log = Log.repository.getLogger("Identity.FxAccounts");
> log.level = LOG_LEVEL;
> +//log.addAppender(new Log.ConsoleAppender(new Log.BasicFormatter()));
Uncomment this line
Attachment #8387834 -
Flags: review?(ptheriault)
Attachment #8387834 -
Flags: review?(jonas)
Attachment #8387834 -
Flags: review?(ferjmoreno)
Attachment #8387834 -
Flags: review+
Assignee | ||
Comment 20•11 years ago
|
||
(In reply to Fernando Jiménez Moreno [:ferjm] (Work week from 10/3 to 14/3. Low bugmail activity). from comment #19)
> Comment on attachment 8387834 [details] [diff] [review]
> Synthetic events always ok with certified and packaged apps
>
> Review of attachment 8387834 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> LGTM, but I'd like to get an OK from the security team before landing this
> change.
Thanks for your review, Fernando. I'm particularly grateful to have your feedback while you are participating in a work-week on a completely unrelated topic.
> ::: dom/identity/DOMIdentity.jsm
> @@ +171,5 @@
> > + * Mockable, for testing
> > + */
> > + _mockIdentityService: null,
> > + get IdentityService() {
> > + if (this._mockIdentityService) {
>
> nit: trailing whitespace.
Oops. Sorry
> @@ +330,5 @@
> >
> > _watch: function DOMIdentity__watch(message, targetMM) {
> > log("DOMIdentity__watch: " + message.id);
> > let context = this.newContext(message, targetMM);
> > + let service = this.getService(message);
>
> It seems that you don't need this unless you use 'service' in the next line.
Quite right. Removed.
> ::: dom/identity/nsDOMIdentity.js
> @@ +194,3 @@
> > let message = this.DOMIdentityMessage(aOptions);
> >
> > + // We permit calling of request() outside of a user input handler is when
>
> s/handler is when/handler when ?
Wow, that sentence is broken. Fixed.
> @@ +198,5 @@
> > + // which make use of an RP context marked as _internal, or when a certified
> > + // or privileged app is calling.
> > + if (!aOptions._internal &&
> > + this._appStatus !== Ci.nsIPrincipal.APP_STATUS_CERTIFIED &&
> > + this._appStatus !== Ci.nsIPrincipal.APP_STATUS_PRIVILEGED) {
>
> I would like to get a verification from the security team that they are ok
> with this.
Ok.
> @@ +633,5 @@
> > // Currently, we only permit certified and privileged apps to use
> > // Firefox Accounts.
> > + if (aOptions.wantIssuer == "firefox-accounts") {
> > + if (this._appStatus !== principal.APP_STATUS_PRIVILEGED &&
> > + this._appStatus !== principal.APP_STATUS_CERTIFIED) {
>
> Can you group the condition in one if, please?
Fixed
> ::: dom/identity/tests/mochitest/test_syntheticEvents.html
> @@ +35,5 @@
> > + return Promise.resolve("here~you.go.dude");
> > + }
> > +};
> > +
> > +let originalManager = FirefoxAccounts.fxAccountsManager;
>
> You are not restoring the original manager.
Oh thanks for catching that! Fixed.
> ::: toolkit/identity/FirefoxAccounts.jsm
> @@ +32,5 @@
> > }
> >
> > let log = Log.repository.getLogger("Identity.FxAccounts");
> > log.level = LOG_LEVEL;
> > +//log.addAppender(new Log.ConsoleAppender(new Log.BasicFormatter()));
>
> Uncomment this line
Ah - sorry about that. Fixed.
Thanks for your review, Fernando.
So that we can both give the security team time to review the powers this grants to privileged apps, and also unblock certified apps like Where's My Fox, would you be ok with me splitting this patch into two parts, one for certified apps that we can land now, and a follow-up for privileged apps?
Flags: needinfo?(ferjmoreno)
Assignee | ||
Comment 21•11 years ago
|
||
r=ferjm
needs security review for packaged apps bits
Attachment #8387834 -
Attachment is obsolete: true
Attachment #8387834 -
Flags: review?(ptheriault)
Attachment #8387834 -
Flags: review?(jonas)
Assignee | ||
Comment 22•11 years ago
|
||
Opened Bug 982460 for granting these privileges to packaged apps. I will pursue the security review there.
Summary: Allow certified and privileged apps to call mozID API outside an event handler → Allow certified apps to call mozID API outside an event handler
Assignee | ||
Comment 23•11 years ago
|
||
Fernando, I've removed packaged apps from this patch so that it only grants the privilege in question to certified apps. I've opened Bug 982460 to deal with the security issues surrounding packaged apps separately.
Does this remove your security concerns for the present patch? I'd like to be able to land something that unblocks our certified apps as soon as possible.
Thanks!
j
Attachment #8389272 -
Attachment is obsolete: true
Attachment #8389578 -
Flags: feedback?(ferjmoreno)
Comment 24•11 years ago
|
||
Comment on attachment 8389578 [details] [diff] [review]
Synthetic events always ok with certified apps
I guess that we are ok allowing this to certified apps.
Attachment #8389578 -
Flags: feedback?(ferjmoreno) → feedback+
Flags: needinfo?(ferjmoreno)
Assignee | ||
Comment 25•11 years ago
|
||
Cool. I thought so, too. After all, they are the system and can do whatever they want anyway.
Thanks for your feedback, Fernando. I'll check this in and then pursue bug 982460.
Assignee | ||
Updated•11 years ago
|
Keywords: checkin-needed
Comment 26•11 years ago
|
||
Flags: in-testsuite+
Keywords: checkin-needed
Comment 27•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Updated•6 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•