Security/Reviews/Firefox7/EmbededAddOnPref

From MozillaWiki
Jump to: navigation, search

Items to be reviewed: Embedded Add-On Prefrences: https://wiki.mozilla.org/Extension_Manager:Projects:Embedded_Add-on_Preferences Agenda:

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • allow a simple/consistent way for add-ons to present prefrences to the users
  • reduce number of dialogues an addon needs to create
    • moving to add-ons manager
  • if add-on has things we don't have a place for then it is loaded as XMLHTTP and settings are injected into the UI
    • if they type is of one we don't expose then it is ignored

What solutions/approaches were considered other than the proposed solution?

  • this is an evolution/refinement of what is done today

Why was this solution chosen?

  • current solutions are not unified nor consistent

Any security threats already considered in the design and why?

  • only works for enabled add-ons
    • since already installed, nothing specific was done here

Threat Brainstorming

  • Restriced to prefrences that only a specific add-on adds?
    • this data is not stored so it can't be controlled
    • there is a pref for them to be name-spaced but this is not requried
  • AMO validator should know about this new format and include it in the automatic scans
  • menulist and radio types don't seem to have a way to specify the type of the pref value, from the documentation it looks like we guess? Guessing is problematic (though not a security problem since this is privileged code).

Conclusions / Action Items

  • None