Security/Reviews/TBOpenSearch

From MozillaWiki
Jump to: navigation, search

Items to be reviewed: Thunderbird Open Search - https://wiki.mozilla.org/Privacy/Reviews/OpenSearch Agenda:

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • Let TB search the web from within TB
  • build into the default search box

What solutions/approaches were considered other than the proposed solution?

  • current impl as an add-on
    • available since Aug 2011

Why was this solution chosen?

  • moving from add-on to native
  • moving for monetization, and reduced manpower for add-ons as supported products
    • add-on only has a 1 person model, where core can be worked on by ongoing developers
      • has a better opportunity for localization
      • less likely to be broken by future changes

Any security threats already considered in the design and why?

  • no particular threats were taken
    • mostly copied from Firefox in how browsing is done and for sec threats

Threat Brainstorming

  • how is content isolated in browsing vs content in mail?
    • good question, unknown for sure
    • 2 different browser elements (1 for mail 1 for browsing)
  • browser history/cache/localstorage/cookies/etc stored across tabs or other browser context widgets (e.g., rss)?
    • Good question. No extra code written.
    • Clicked links open in default browser (not in web context). Only the page from the search provider stays in the TB tab (whitelist of isolated URL prefixes that stay in TB, everything else opens in default browser).
  • Redirects from search results to different domain
    • Does a redirect open in the same tab or not?
  • HTTPS and location UI?
    • no there is no address bar, so no UI to indicated to users secure connections
      • this is highly encouraged to be HTTPS all the time
    • this is copied from Firefox search providers and some of them are not TLS
    • could put locks on favicon to show status
  • browser is clone per tab so content tag should be maintained

Conclusions / Action Items

  • [dveditz] wants to look at code that selects which URLs spawn the browser and which don't.
  • [squib] test if search results tab has access to window.opener (the privileged code)
    • The search results don't have access to window.opener (it's null)
  • [squib] test for redirect behavior... can we break the "whitelist of allowed in thunderbird" rule via HTTP redirect?
    • Redirects can break the whitelist, so we need to fix this; possibly check in onLocationChange, which gives us the final URL (can we cancel the load from there?)
  • [sid] brief privacy review