-
Notifications
You must be signed in to change notification settings - Fork 9
System Hierarchy
Building secure applications on top of web browsers requires significant "separation of concerns." Following the inspiration of extension sandboxing and Unhosted Web Apps, Privly is working with several layers of permissions in building the system. The ordering of "trust," from lowest to highest is:
- Host pages, like Gmail and Facebook. We modify host pages through Content Scripts, which are assumed to be as trustworthy as the pages in which they run.
- Injectable Applications, which are the applications we inject into web pages. Think of these as our "little world" inside host pages. The Same Origin Policy protects these applications from the scripting environment of host web pages.
- The extension, which has access to all the host pages and injectable applications via message passing, but they don't operate in the same scripting environment as either.
- The cryptography library, which will only communicate with the extension via an API.
The host page could be any web application on the internet. Consequently, the host page is not given any trust. All messages and events from the host pages are ignored by the extension. The primary point of interaction with the host page is to inject the Content Scripts privly.js. The content script handles searching host pages for the injectable URL, and then creates the iframe for the injectable application. The injectable application will then ask the host page to resize the iframe to match the height of its content.
The Injectable Applications are trusted and studied applications with known security and privacy guarantees. By limiting the operations the applications can perform, we can provide security guarantees for user data and cryptographic identities. The injectable application will be permitted to make requests to the extension's API with message passing.
The only element of interaction between the Injected Application and the host page is a message from the injected application to the host page containing the height of the content. The content script found in the host page will then resize the iframe so that its height matches the message sent by the application. Future versions may allow the host page to send formatting instructions, but this is not currently in the scope of development.
A second use case of the injected applications is to generate a new link for injection into the host page. These "posting" applications will typically not be viewed in host pages. The preferred method of viewing these applications is to open them in an element of the UI that is only accessible to pages opened by the extension.
Browser extensions typically have permissions to message any web page opened in the browser, and they are (or must be) protected from the potentially malevolent code of host pages and untrusted Injectable Applications. The extension handles injections of the content scripts, and the posting process. Once the injected application is running in a host page, it may make requests to the extension using the message passing interface of the browser. The extension layer will act as gatekeeper between the injected application and the cryptography API.
We are using Mozilla's NSS Library to provide a set of cryptographic primitives for injectable applications. The extension will act as gatekeeper to the library, which will pass permissioned requests on to the compiled cryptography library. The initial version will support a subset of the operations capable of NSS, until Privly matures as a software and organizational solution to content privacy. We are likely going to start with basic public and private key API, but through the use of injectable applications, advanced sharing and security concepts become a possibility.
________________________ Inject Content Script ______________________
\/ |
____________ ___________ ______|____ ___________
| | >--Inject App --> | | >--Crypto Request--> | | >--Crypto Request--> | |
| Host Page | | Inj.App | | Extension | | Compiled |
| | <--iframe size--< | | <-- Crypto Result--< | | <-- Crypto Result--< | Library |
|____________| |_________| |___________| |__________|
Foundation Home
Repository List
Development Mailing List
Testing Mailing List
Announcement Mailing List
Central Wiki
Submit a Bug
IRC
Download Extension
These documents are under active development and discussion.
Credit: This Google Summer of Code content is licensed under the CC Attribution-Noncommercial-Share Alike 3.0 Unported license furnished by the Sahana Software Foundation.