Clarify security implications #74
Comments
|
@rgh36167 good point Follows an initial list of scenarios (all tried on the inpage-toolbar-ui example), which can be helpful to put together a similar list on MDN to help an add-on developer to evaluate the security implications of the features he is planning to use in its add-on. The web page currently can:
The web page currently is not able to:
|
|
Discussion has been moved to: |
|
Given https://bugzilla.mozilla.org/show_bug.cgi?id=1287590#c5, should we add a warning, or just remove this example? (I tend to think we should remove this example.) @rgh36167 , @rpl ? |
|
People are doing it all the time anyway - me shudders that developers are trying to use this to implement password managers (https://bugzilla.mozilla.org/show_bug.cgi?id=792479#c61) Leave it as prominent example howto not do it? The code doing the automated review of AMO submissions should detect this and similar and give a warning. |
|
Btw to ammend the list of possible exploits, I see nothing that would stop a hostile webpage from using HTML5 canvass to get "screenshots" of the iframe. |
|
@wbamberg @rgh36167 I'm ok with removing this example so that it is not as tempting as it is currently. At the same time, as @rgh36167 link above shows, add-on developer are currently digging into the Firefox sources to achieve this in Add-on SDK add-ons, that if I'm not wrong has a real toolbar ui component, using the require("chrome") trick, and so I'm not sure that it is not going to be used even without an example. Nevertheless, I totally agree that this feature should not be used to implement UI of a password manager addon or any other security oriented features. In general every part of an addon that is directly accessible to a webpage is going to provide a greater attack surface (e.g. when a content script exchanges messages with a webpage, how can the content script be sure that something in the page is not faking the real source? if we export a function from the content script into the webpage using the newly provided On the other hand, this is not worst of injecting single DOM elements into the page from a content script, it is only better isolated from the rest of the page, and I'm pretty sure that it can be helpful in the context of devtools addons. Can a re-write of the example and its readme helpful? (so that it is more clearly suggested as a way to augment the page and not the extension/browser ui) |
|
@rpl : the SDK also has the panel high level API which would do what many people are trying to achieve with the toolbar ui, I was not even aware of the chrome trick you mention. If Firefox made the equivalent https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/browserAction/openPopup available for addons it would solve most of the problem.. only leaving the problem with extensions ported from the other browser. The |
@rgh36167 I know that the Addon SDK provides a proper high level API, and it seems interesting that, nevertheless, (and I'm wondering why) add-on developers are trying to inject iframes into the page from an Addon SDK add-ons.
The |
|
@rpl - I was also wondering why people would inject iframes in an unsafe and rather complicated way instead of using a clean safe easy high level api.. probably a part of it are developers porting their addons from Chrome who are not aware that a better and safer way to do it exists. Other cases are perhaps where addon writers want to "integrate" their content with the webpage which may or may not be dangerous depending on the situation.
That is very unfortunate, if there is no safe alternative to do it than WebExtensions would be a huge step backward for Addon development. I think this should be reopened or a new bug filled because afaics the decision to not implement it was done long before the ui-iframe-toolbar security concerns landed in bugzilla. |
Based on the discussion in mdn#74, we decided to remove this example to prevent it to seem as the suggested way to expose "security/privacy" sensible UI elements to a potentially malicious page. Even if there are probably reasonable scenarios where this feature can be used, it is currently perceived as a replacement for a browser toolbar UI element, which is not.
|
For those who aren't following https://bugzil.la/1278180 : Note that Firefox 57 implements openPopup for browserAction/pageAction, guarded behind a user gesture - see https://bugzil.la/1341126. |
|
Do I understand it right that it would work or example from a listener added by window.addEventListener("touchstart", ....) ? |
Yes, but only from an extension page ( |
|
@Rob--W: if so it would not help anything with the security issue - those were concerning code injected into potentially hostile webpages. Anything in moz-extension should be under our control anyway? |
|
@rgh36167 I don't fully understand you. Are you saying that the feature is useless because it cannot be used from content scripts? If so, I agree and posted https://bugzil.la/1392624. If not, what do you mean? |
|
@Rob--W not exactly useless as it can have other uses but otherwise agree. |
github-actions
bot
added
the
idle
|
Closing as there's been no further comment on this issue for 6 years. |
Some examples (eg inpage-toolbar-ui ) inject code into a webpage. I would assume if the webpage isn't under our control it can easily delete, obscure and otherwise manipulate the displayed iframe?
The text was updated successfully, but these errors were encountered: