Thunderbird:Thunderbird3:ContentSecReview/Cookies Security Review

From MozillaWiki
Jump to: navigation, search

Overview

Lift the Thunderbird 2 restriction on cookies so that they are usable by content mainly for the purposes of extensions investigating linking to web sies / applications and new ideas.

Background links

Security and Privacy

  • Is this feature a security feature? If it is, what security issues is it intended to resolve?
    • Yes.
    • Cookies were too limited:
      • Just loading content for RSS feeds or background loading of RSS feeds
      • Cookie preferences were ignored.
    • Now:
      • Cookies can be accessed in content according to the same cookie policy as Firefox with extra restrictions.
      • Extra restrictions: cookies on these protocols are denied: imap, news, snews, mailbox
  • What potential security issues in your feature have you already considered and addressed?
    • Cookie privacy - users have access to the same preferences as Firefox to allow/deny cookies as appropriate. This will apply to all content loaded unless denied by the policy.
    • Protocols - the mail protocols have cookies denied on them.
    • Remote content in emails - see below.
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project. 
The one slightly odd case that I can think of is this:
* a web site shown by the RSS code or by an extension sets a cookie
* the user subsequently receives an email which they agree to trust remote
  content from (or is from a sender whom they've previously agreed to trust
  all messages from).
* remote content in the email will send the cookie from the previous browsing
  session back to the server, allowing correlation previously unavailable
  between web pages.
  • How are transitions in/out of Private Browsing mode handled?

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
    • No new ones over existing gecko interfaces
  • Does it interoperate with a web service? How will it do so?
    • N/A
  • Explain the significant file formats, names, syntax, and semantics.
    • N/A
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
    • N/A
  • Does it change any existing interfaces?
    • N/A

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)?
    • N/A

Data

  • What data is read or parsed by this feature?
  • What is the output of this feature?
  • What storage formats are used?

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
    • UI:
      • Manage Cookies
      • Add Exceptions
      • network.cookie.cookieBehavior, network.cookie.lifetimePolicy, network.cookie.blockFutureCookies
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
    • None
  • What ranges for the tunable are appropriate? How are they determined?
    • Same as gecko.
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
    • Same as gecko.

Relationships to other projects

Are there related projects in the community?

Not applicable

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments

Retrieved from "https://wiki.mozilla.org/index.php?title=Thunderbird:Thunderbird3:ContentSecReview/Cookies_Security_Review&oldid=172291"