Security/Reviews/Firefox7/EmbededAddOnPref
From MozillaWiki
Items to be reviewed: Embedded Add-On Prefrences: https://wiki.mozilla.org/Extension_Manager:Projects:Embedded_Add-on_Preferences Agenda:
Introduce Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- allow a simple/consistent way for add-ons to present prefrences to the users
- reduce number of dialogues an addon needs to create
- moving to add-ons manager
- if add-on has things we don't have a place for then it is loaded as XMLHTTP and settings are injected into the UI
- if they type is of one we don't expose then it is ignored
What solutions/approaches were considered other than the proposed solution?
- this is an evolution/refinement of what is done today
Why was this solution chosen?
- current solutions are not unified nor consistent
Any security threats already considered in the design and why?
- only works for enabled add-ons
- since already installed, nothing specific was done here
Threat Brainstorming
- Restriced to prefrences that only a specific add-on adds?
- this data is not stored so it can't be controlled
- there is a pref for them to be name-spaced but this is not requried
- AMO validator should know about this new format and include it in the automatic scans
- menulist and radio types don't seem to have a way to specify the type of the pref value, from the documentation it looks like we guess? Guessing is problematic (though not a security problem since this is privileged code).
Conclusions / Action Items
- None