[tor-commits] [tor-browser-spec/master] Add FF24 audit notes.
mikeperry at torproject.org
mikeperry at torproject.org
Mon Apr 28 15:18:48 UTC 2014
commit c014997723634327c73ec80f8151788b1e934329
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Mon Apr 28 17:15:25 2014 +0200
Add FF24 audit notes.
---
audits/FF17_FEATURE_AUDIT | 19 +++++
audits/FF17_NETWORK_AUDIT | 84 +++++++++++++++++++
audits/FF24_FEATURE_AUDIT | 128 +++++++++++++++++++++++++++++
audits/FF24_NETWORK_AUDIT | 65 +++++++++++++++
audits/FF3.5_AUDIT | 195 +++++++++++++++++++++++++++++++++++++++++++++
audits/FF4_AUDIT | 50 ++++++++++++
6 files changed, 541 insertions(+)
diff --git a/audits/FF17_FEATURE_AUDIT b/audits/FF17_FEATURE_AUDIT
new file mode 100644
index 0000000..b135c0a
--- /dev/null
+++ b/audits/FF17_FEATURE_AUDIT
@@ -0,0 +1,19 @@
+- Can calc() accept device-width/height?
+ - No. Numbers only.
+ - Can viewport/meta viewport accept them?
+ - nsContentUtils::GetViewportInfo() might be the only place..
+ - nsContentUtils::ProcessViewportInfo()
+ - Viewport seems unused on all but mobile
+ - Maybe worth testing..
+
+- currentColor: OK
+- scrollMax: OK
+- IdleAPI: FirefoxOS only, but still present w/ pref??
+ - Throws "The operation is insecure" exception
+ - Disabled for content. WebApp only.
+
+- Web Activities
+ - Seems unfinished and unexported to content
+
+- RegisterContent/ProtocolHandler -> Third party supercookie??
+ - asks for confirmation
diff --git a/audits/FF17_NETWORK_AUDIT b/audits/FF17_NETWORK_AUDIT
new file mode 100644
index 0000000..8ec25ba
--- /dev/null
+++ b/audits/FF17_NETWORK_AUDIT
@@ -0,0 +1,84 @@
+
+Lowest level resolver calls:
+ - PR_GetHostByName
+ + ./profile/dirserviceprovider/src/nsProfileLock.cpp
+ + nsProfileLock::LockWithSymlink
+ + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+ - pkix_pl_Socket_CreateByHostAndPort()
+ - pkix_pl_Socket_CreateByName()
+ - ./security/nss/lib/certhigh/ocsp.c
+ - ocsp_ConnectToHost()
+ + ./security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
+ + ./security/nss/cmd/vfyserv/vfyserv.c
+ - ./media/webrtc/trunk/src/modules/udp_transport/source/udp_transport_impl.cc (!!!)
+ --disable-webrtc!!!
+ + PR_GetAddrInfoByName
+ + ./security/nss/cmd/ssltap/ssltap.c
+ + ./security/nss/cmd/tstclnt/tstclnt.c
+ + ./security/nss/cmd/strsclnt/strsclnt.c
+
+Direct paths to DNS resolution:
+ + nsDNSService::Resolve
+ + nsDNSService::AsyncResolve
+ + nsHostResolver::ResolveHost
+
+Misc UDP (SOCK_DGRAM, PR_DESC_SOCKET_UDP):
+ + ./nsprpub/pr/src/io/prsocket.c
+ + PR_NewUDPSocket
+ + PR_OpenUDPSocket
+ + PR_Socket
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ + ./netwerk/socket/nsUDPSocketProvider.cpp
+
+Misc TCP (SOCK_STREAM, PR_DESC_SOCKET_TCP):
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ - ./nsprpub/pr/src/io/prsocket.c
+ - PR_NewTCPSocket
+ - PR_Socket
+ - PR_OpenTCPSocket
+ + ./nsprpub/pr/src/misc/prnetdb.c
+ + TCPSocket:
+ + ./security/manager/ssl/src/nsNSSIOLayer.cpp
+ + nsSSLIOLayerNewSocket()
+ + ./security/nss/lib/certhigh/ocsp.c
+ + ocsp_SendEncodedRequest
+ + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+ + pkix_pl_Socket_CreateClient
+ + pkix_pl_Socket_CreateServer
+
+Misc PR_Socket:
+ + ./nsprpub/pr/src/cplus/rcnetio.cpp
+ + RCNetStreamIO::RCNetStreamIO
+
+Misc XPCOM:
+ - *SocketProvider
+ + newSocket
+ + ./netwerk/base/src/nsSocketTransport2.cpp:
+ + addToSocket
+ + @mozilla.org/network/socket:
+ + createTransport()
+ + ./netwerk/protocol/http/nsHttpConnectionMgr.cpp
+ + ./netwerk/protocol/ftp/nsFtpConnectionThread.cpp:
+ + ./netwerk/protocol/ftp/nsFtpControlConnection.cpp:
+ + ./dom/network/src/TCPSocket.js
+ + open()
+
+Android may have DNS leaks..
+ - ./mobile/android/base/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java
+
+nsDNSService/nsPIDNSService/nsIDNSService
+ + calls nsHostResolver::ResolveHost
+ + used by:
+ + DNS prefetch (disabled)
+ + ./netwerk/base/src/nsIOService.cpp (offline mode only)
+ + ./netwerk/build/nsNetModule.cpp
+ + ./netwerk/protocol/websocket/WebSocketChannel.cpp
+ + ./netwerk/build/nsNetCID.h
+ + ./netwerk/socket/nsSOCKSIOLayer.cpp (proxy lookup only)
+
+netwerk/base/src/nsSocketTransport2.cpp
+ + nsSocketTransport::ResolveHost() has proper remote dns checks
+ + Resolution is done by using hostname as sockaddr
+ + PROXY_RESOLVES_HOST
+
+
diff --git a/audits/FF24_FEATURE_AUDIT b/audits/FF24_FEATURE_AUDIT
new file mode 100644
index 0000000..f6593cc
--- /dev/null
+++ b/audits/FF24_FEATURE_AUDIT
@@ -0,0 +1,128 @@
+Reviewing just the developer docs (not counting undocumented bugs), here's
+stuff that needs a closer look for each FF version.
+
+FF24:
+ - Seems fine.
+FF23:
+ - Mixed content blocking will need to be fixed or disabled.
+FF22:
+ - WebRTC is on by default
+ - Clipboard data:
+ https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent.clipboardData
+ - Web Notifications may cause proxy issues if they contain embedded
+ URLs/content?
+ https://developer.mozilla.org/en-US/docs/WebAPI/Using_Web_Notifications
+ - Blob uris/objects may require caching isolation equivalent to data uris
+ https://developer.mozilla.org/en-US/docs/Web/API/Blob
+ - Is the new third party cookie blocker better or worse?
+ https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-smarter-about-third-party-cookies/
+ http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/
+FF21:
+ - No major issues
+FF20:
+ - Probably fine:
+ https://developer.mozilla.org/en-US/docs/Web/API/Navigator.getUserMedia
+FF19:
+ - New canvas methods toBlob(), isPointInStroke():
+ https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D
+ https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement
+ - File can return "current" date when time is unknown (verify no timezone
+ leaks, etc)
+ https://developer.mozilla.org/en-US/docs/Web/API/File
+ - https://developer.mozilla.org/en-US/docs/Web/API/CSSPageRule
+FF18:
+ - https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-allowfullscreen
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=767818 (navigator.mozPay??)
+ - https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/Proxy
+ - https://developer.mozilla.org/en-US/docs/Web/Guide/User_experience/Using_the_Page_Visibility_API
+ - https://hacks.mozilla.org/2012/10/aurora-18-hidpi-touch-events/
+
+
+And here's the list of undocumented bugs that need a closer look:
+
+FF24:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=855741
+ https://bugzilla.mozilla.org/show_bug.cgi?id=549861
+ https://bugzilla.mozilla.org/show_bug.cgi?id=858234
+FF23:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=525444
+ https://bugzilla.mozilla.org/show_bug.cgi?id=769871
+ https://bugzilla.mozilla.org/show_bug.cgi?id=811403
+ https://bugzilla.mozilla.org/show_bug.cgi?id=818675
+ https://bugzilla.mozilla.org/show_bug.cgi?id=834835
+FF22:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=845010
+ https://bugzilla.mozilla.org/show_bug.cgi?id=783129
+FF21:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=834595
+ https://bugzilla.mozilla.org/show_bug.cgi?id=823175
+FF20:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=776443
+ https://bugzilla.mozilla.org/show_bug.cgi?id=815743
+ https://bugzilla.mozilla.org/show_bug.cgi?id=818800
+ https://bugzilla.mozilla.org/show_bug.cgi?id=770844
+ https://bugzilla.mozilla.org/show_bug.cgi?id=764240
+ https://bugzilla.mozilla.org/show_bug.cgi?id=617532
+ https://bugzilla.mozilla.org/show_bug.cgi?id=789932
+FF19:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=801576
+ https://bugzilla.mozilla.org/show_bug.cgi?id=804944
+ https://bugzilla.mozilla.org/show_bug.cgi?id=722979
+ https://bugzilla.mozilla.org/show_bug.cgi?id=723002
+ https://bugzilla.mozilla.org/show_bug.cgi?id=723005
+ https://bugzilla.mozilla.org/show_bug.cgi?id=648610
+ https://bugzilla.mozilla.org/show_bug.cgi?id=801402
+FF18:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=745025
+ https://bugzilla.mozilla.org/show_bug.cgi?id=750862
+ https://bugzilla.mozilla.org/show_bug.cgi?id=790946
+ https://bugzilla.mozilla.org/show_bug.cgi?id=782453
+ https://bugzilla.mozilla.org/show_bug.cgi?id=774963
+ https://bugzilla.mozilla.org/show_bug.cgi?id=737003
+ https://bugzilla.mozilla.org/show_bug.cgi?id=726615
+ https://bugzilla.mozilla.org/show_bug.cgi?id=783531
+ https://bugzilla.mozilla.org/show_bug.cgi?id=722861
+ https://bugzilla.mozilla.org/show_bug.cgi?id=796523
+ https://bugzilla.mozilla.org/show_bug.cgi?id=564815
+ https://bugzilla.mozilla.org/show_bug.cgi?id=769764
+ https://bugzilla.mozilla.org/show_bug.cgi?id=769569
+ https://bugzilla.mozilla.org/show_bug.cgi?id=787931
+ https://bugzilla.mozilla.org/show_bug.cgi?id=695399
+ https://bugzilla.mozilla.org/show_bug.cgi?id=791019
+
+-------------------------------------------------------------------
+
+Canvas patch review:
+ https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement
+ + toDataURL (patched to return white)
+ + toBlob (patched to return white)
+ + toDataURLHD (unimplementd)
+ + toBlobHD (unimplemented)
+ + mozGetAsFile (patched to return white)
+ + mozFetchAsStream (chromeonly)
+ https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D
+ + getImageData (patched to return white)
+
+
+Test cases needed for proxy bypass and info leak to/from OS:
+ https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent.clipboardData
+ https://developer.mozilla.org/en-US/docs/WebAPI/Using_Web_Notifications
+ https://bugzilla.mozilla.org/show_bug.cgi?id=767818 (navigator.mozPay)
+
+
+Bugs that need deep review:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=549861 (font-variant probing)
+ - Should we limit this?
+ - http://dev.w3.org/csswg/css-fonts/#font-rend-props
+ https://bugzilla.mozilla.org/show_bug.cgi?id=858234 (execute after DL)
+ https://bugzilla.mozilla.org/show_bug.cgi?id=789932 (move extenal app launcher to alt thread)
+ - Does the external-app-blocker still prompt?
+
+
+Bugs filed:
+ - Fingerprinting:
+ https://trac.torproject.org/projects/tor/ticket/10284
+ https://trac.torproject.org/projects/tor/ticket/10283
+ https://trac.torproject.org/projects/tor/ticket/10286
+ https://trac.torproject.org/projects/tor/ticket/10285
+
diff --git a/audits/FF24_NETWORK_AUDIT b/audits/FF24_NETWORK_AUDIT
new file mode 100644
index 0000000..dc09ff9
--- /dev/null
+++ b/audits/FF24_NETWORK_AUDIT
@@ -0,0 +1,65 @@
+Lowest level resolver calls:
+ - PR_GetHostByName
+ - ./security/nss/lib/certhigh/ocsp.c
+ - ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+ - ./security/nss/cmd/libpkix/pkix_pl/module/test_socket.c
+ - ./security/nss/cmd/vfyserv/vfyserv.c
+ - ./profile/dirserviceprovider/src/nsProfileLock.cpp
+ - ./nsprpub/pr/src/misc/prnetdb.c
+ - ./nsprpub/pr/src/cplus/rcnetdb.cpp
+ + PR_GetIPNodeByName
+ + Used by tests only
+ + PR_GetAddrInfoByName
+ + ./security/nss/cmd/ usage (NSS cli commands only)
+ + ./netwerk/dns/nsHostResolver.cpp
+ + nsHostResolver::ResolveHost() is entrypoint
+ -> nsHostResolver::ThreadFunc() will resolve without SOCKS
+ + Unused except by nsDNSService
+
+Direct paths to DNS resolution:
+ + nsDNSService::Resolve
+ + nsDNSService::AsyncResolve
+ + nsHostResolver::ResolveHost
+
+Misc UDP (SOCK_DGRAM, PR_DESC_SOCKET_UDP):
+ + ./media/webrtc/*
+ + Disabled
+ - ./media/mtransport/third_party/nICEr/
+ - XXX
+ - ./ipc/chromium/src/third_party/libevent/evutil.c
+ - ./other-licenses/android/*
+ - Disabled
+ + ./nsprpub/pr/src/io/prsocket.c
+ + PR_NewUDPSocket
+ + PR_OpenUDPSocket
+ + PR_Socket
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ + ./netwerk/socket/nsUDPSocketProvider.cpp
+
+
+Misc TCP (SOCK_STREAM, PR_DESC_SOCKET_TCP):
+ + ./nsprpub/pr/src/pthreads/ptio.c
+ - ./nsprpub/pr/src/io/prsocket.c
+ - PR_NewTCPSocket
+ - PR_Socket
+ - PR_OpenTCPSocket
+ + ./nsprpub/pr/src/misc/prnetdb.c
+
+Misc PR_Socket:
+ + ./nsprpub/pr/src/cplus/rcnetio.cpp
+ + RCNetStreamIO::RCNetStreamIO
+
+Misc XPCOM:
+ - *SocketProvider
+ + newSocket
+ + ./netwerk/base/src/nsSocketTransport2.cpp:
+ + addToSocket
+ + @mozilla.org/network/socket:
+ + createTransport()
+ + ./netwerk/protocol/http/nsHttpConnectionMgr.cpp
+ + ./netwerk/protocol/ftp/nsFtpConnectionThread.cpp:
+ + ./netwerk/protocol/ftp/nsFtpControlConnection.cpp:
+ + ./dom/network/src/TCPSocket.js
+ + open()
+
+
diff --git a/audits/FF3.5_AUDIT b/audits/FF3.5_AUDIT
new file mode 100644
index 0000000..35a9fbf
--- /dev/null
+++ b/audits/FF3.5_AUDIT
@@ -0,0 +1,195 @@
+First pass: Quick Review of Firefox Features
+- Video Tag
+ - Docs:
+ - https://developer.mozilla.org/En/HTML/Element/Audio
+ - https://developer.mozilla.org/En/HTML/Element/Video
+ - https://developer.mozilla.org/En/HTML/Element/Source
+ - https://developer.mozilla.org/En/Manipulating_video_using_canvas
+ - https://developer.mozilla.org/En/nsIDOMHTMLMediaElement
+ - https://developer.mozilla.org/En/Media_formats_supported_by_the_audio_and_video_elements
+ - http://en.flossmanuals.net/TheoraCookbook
+ - nsIContentPolicy is checked on load
+ - Uses NSIChannels for initial load
+ - Wrapped in nsHTMLMediaElement::mDecoder
+ - is nsOggDecoder() or nsWaveDecoder()
+ - liboggplay
+ - Governed by media.* prefs
+ - Preliminary audit shows they do not use the liboggplay tcp functions
+- Geolocation
+ - Wifi:
+ - https://developer.mozilla.org/En/Monitoring_WiFi_access_points
+ - Requires security policy to allow. Then still prompted
+ - navigator.geolocation
+ - Governed by geo.enabled
+ - "2 week access token" is set
+ - geo.wifi.access_token.. Clearing is prob a good idea
+ - http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/geolocation/NetworkGeolocationProvider.js
+ - https://developer.mozilla.org/En/Using_geolocation
+- DNS prefetching after toggle
+ - prefetch pref? Always disable for now?
+ - network.dns.disablePrefetch
+ - Also disabled in netwerk/dns/src/nsDNSService2.cpp when manual proxies
+ are set..
+ - This should prevent prefetching of non-tor urls in tor mode..
+ - But the reverse is unclear.
+ - DocShell attribute!!1 YAY
+ - http://www.oxymoronical.com/experiments/apidocs/interface/nsIDocShell
+ - "Takes effect for the NEXT document loaded...."
+ - Do we win this race? hrmm.. If we do, the tor->nontor direction
+ should also be safe.
+ - Content policy called?
+ - No. See content/html/content/src/nsHTMLDNSPrefetch.cpp
+- Storage
+ - https://developer.mozilla.org/en/Storage
+ - "It is available to trusted callers, meaning extensions and Firefox
+ components only."
+- New content policy
+ - Content Security Policy. Addon-only
+- "Offline resources"
+ - https://developer.mozilla.org/en/Offline_resources_in_Firefox
+ - https://developer.mozilla.org/en/nsIApplicationCache
+ - browser.cache.offline.enable toggles
+ - browser.cache.disk.enable does not apply. Seperate "device".
+ - Does our normal cache clearing mechanism apply?
+ - We call nsICacheService.evictEntries()
+ - May need: nsOfflineCacheDevice::EvictEntries(NULL)
+ - Code is smart enough to behave cleanly if we simply set
+ browser.cache.offline.enable or enable private browsing.
+- Mouse gesture and other new DOM events
+- Fonts
+ - Remote fonts obey content policy. Good.
+ - XXX: Are they cached independent of regular cache? Prob not.
+ - Hrmm can probe for installed fonts:
+ http://remysharp.com/2008/07/08/how-to-detect-if-a-font-is-installed-only-using-javascript/
+ http://www.lalit.org/lab/javascript-css-font-detect
+ http://www.ajaxupdates.com/cssjavascript-font-detector/
+ http://code.google.com/p/jquery-fontavailable/
+- Drag and drop
+ - https://developer.mozilla.org/En/DragDrop/Drag_and_Drop
+ - https://developer.mozilla.org/En/DragDrop/Drag_Operations
+ - https://developer.mozilla.org/En/DragDrop/Dragging_and_Dropping_Multiple_Items
+ - https://developer.mozilla.org/En/DragDrop/Recommended_Drag_Types
+ - https://developer.mozilla.org/En/DragDrop/DataTransfer
+ - Should be no different than normal url handling..
+- Local Storage
+ - https://developer.mozilla.org/en/DOM/Storage#localStorage
+ - Disabled by dom storage pref..
+ - Private browsing mode has its own DB
+ - Memory only?
+ - Disk Avoidance of gStorage and local storage:
+ - mSessionOnly set via nsDOMStorage::CanUseStorage()
+ - Seems to be set to true if cookies are session-only or private
+ browsing mode
+ - Our cookies are NOT session-only with dual cookie jars
+ - but this is ok if we clear the session storage..
+ - XXX: Technically clearing session storage may break
+ sites if cookies remain though
+ - nsDOMStoragePersistentDB not used if mSessionOnly
+ - Can clear with nsDOMStorage::ClearAll() or nsIDOMStorage2::clear()?
+ - These only work for a particular storage. There's both global now
+ and per-origin storage instances
+ - Each docshell has tons of storages for each origin contained in it
+ - Toggling dom.storage.enabled does not clear existing storage
+ - Oh HOT! cookie-changed to clear cookies clears all storages!
+ - happens for both ff3.0 and 3.5 in dom/src/storage/nsDOMStorage.cpp
+ - Conclusion:
+ - can safely enable dom storage
+ - May have minor buggy usability issues unless we preserve it
+ when user is preserving cookies..
+
+Second Pass: Verification of all Torbutton Assumptions
+- "Better privacy controls"
+ - Basically UI stuff for prefs we set already
+ - address bar search disable option is interesting, but not
+ torbutton's job to toggle. Users will hate us.
+- Private browsing
+ - https://developer.mozilla.org/En/Supporting_private_browsing_mode
+ - We should consider an option (off by default) to enable PBM during
+ toggle
+ - It is a good idea because it will let our users use DOM storage
+ safely and also may cause their plugins and other addons to be
+ safe
+ - Doing it always will cause the user to lose fine-grained control
+ of many settings
+ - Also we'll need to prevent them from leaving without toggling tor
+ - Stuff the emit does (grep for NS_PRIVATE_BROWSING_SWITCH_TOPIC and
+ "private-browsing")
+ - XXX: clear mozilla.org/security/sdr;1. We should too! Wtf is it??
+ - Neg. Best to let them handle this. Users will be annoyed
+ at having to re-enter their passwords..
+ - They also clear the console service..
+ - Recommend watching private-browsing-cancel-vote and blocking if
+ we are performing a db operation
+ - Maybe we want to block transitions during our toggle for safety
+ - XXX: They also clear general.open_location.last_url
+ - XXX: mozilla.org/permissionmanager
+ - XXX: mozilla.org/content-pref/service
+ - XXX: Sets browser.zoom.siteSpecific to false
+ - Interesting.. They clear their titles.. I wonder if some
+ window managers log titles.. But that level of surveillance is
+ unbeatable..
+ - XXX: Unless there is some way for flash or script to read titles?
+ - They empty the clipboard..
+ - Can js access the clipboard?? ...
+ - Yes, but needs special pref+confirmation box
+ - http://www.dynamic-tools.net/toolbox/copyToClipboard/
+ - They clear cache..
+ - Cookies:
+ - Use in-memory table that is different than their default
+ - This could fuck up our cookie storage options
+ - We could maybe prevent them from getting this
+ event by wrapping nsCookieService::Observe(). Lullz..
+ - NavHistory:
+ - XXX: nsNavHistory::AutoCompleteFeedback() doesn't track
+ awesomebar choices for feedback.. Is this done on disk?
+ - Don't add history entries
+ - We should block this observe event too if we can..
+ - The session store stops storing tabs
+ - We could block this observe
+ - XXX: They expunge private temporary files on exit from PMB
+ - This is not done normally until browser exit or
+ "on-profile-change"
+ - emits browser:purge-domain-data.. Mostly just for session
+ editing it appears
+ - Direct component query for pbs.privateBrowsingEnabled
+ - This is where we have no ability to provide certain option
+ control
+ - browser.js seems to prevent user from allowing blocked
+ popups?
+ - Some items in some places context menu get blocked:
+ - Can't delete items from history? placesContext_deleteHost
+ - nsCookiePermission::InPrivateBrowsing() calls direct
+ - but is irellevant
+ - Form history cannot be saved while in PBM.. :(
+ - User won't be prompted for adding login passwords..
+ - Can't remember prefs on content types
+ - Many components read this value upon init:
+ - This fucks up our observer game if tor starts enabled
+ - NavHistory and cookie and dl manager
+ - We could just wrap the bool on startup and lie
+ and emit later... :/
+ - Or! emit an exit and an enter always at startup if tor is
+ enabled.
+ - Read iSec report
+ - Compare to Chrome
+ - API use cases
+- SessionStore
+ - Has been reworked with observers and write methods. Should use those.
+- security.enable_ssl2 to clear session id
+ - Still cleared
+- browser.sessionstore.max_tabs_undo
+ - Yep.
+- SafeBrowsing Update Key removed on cookie clear still?
+ - Yep.
+- Livemark updates have kill events now
+- Test if nsICertStore is still buggy...
+
+Third Pass: Exploit Auditing
+- Remote fonts
+- SVG with HTML
+- Javascript threads+locking
+- Ogg theora and vorbis codecs
+- SQLite
+
+
+- https://developer.mozilla.org/en/Firefox_3_for_developers
diff --git a/audits/FF4_AUDIT b/audits/FF4_AUDIT
new file mode 100644
index 0000000..7830eb3
--- /dev/null
+++ b/audits/FF4_AUDIT
@@ -0,0 +1,50 @@
+- Review of https://developer.mozilla.org/en/Firefox_4_for_developers
+ - Potential proxy issues
+ - DocShell and plugins inside createHTMLDocument?
+ - https://developer.mozilla.org/en/DOM/DOMImplementation.createHTMLDocument
+ - WebSockets?
+ - Media attributes?
+ - "buffered"
+ - "preload"
+ - new codecs?
+ - What the hell is a blob url?
+ - https://developer.mozilla.org/en/DOM/window.createBlobURL
+ - https://developer.mozilla.org/en/DOM/window.revokeBlobURL
+ - Seems only relevent to FS injection..
+ - WebThreads are OK:
+ - https://developer.mozilla.org/En/Using_web_workers
+ - Network activity blocked by content policy
+ - Fingerprinting issues:
+ - New screen attributes
+ - https://developer.mozilla.org/en/DOM/window.mozInnerScreenX, Y
+ - High Res Animation Timers:
+ - https://developer.mozilla.org/en/DOM/window.mozAnimationStartTime
+ - https://developer.mozilla.org/en/DOM/Animations_using_MozBeforePaint
+ - 50-60hz max.. Can we leverage this?
+ - timeStamps on keystroke events
+ - https://developer.mozilla.org/en/DOM/event.timeStamp
+ - Bounding rectangles -> window sizes?
+ - Maybe not display sizes, but seems possible to fingerprint rendered
+ content size.. ugh.
+ - https://developer.mozilla.org/en/DOM/element.getBoundingClientRect
+ - https://developer.mozilla.org/en/dom:range
+ - CSS resize, media queries, etc..
+ - WebGL may also expose screen properties and video card properties:
+ - https://developer.mozilla.org/en/WebGL
+ - https://www.khronos.org/registry/webgl/specs/1.0/#5.2
+ - https://www.khronos.org/registry/webgl/specs/1.0/#5.11
+ - SVG needs auditing. It may also expose absolute coords, but appears OK
+ - https://developer.mozilla.org/en/SVG/SVG_animation_with_SMIL
+ - Mouse events reveal desktop coordinates
+ - https://bugzilla.mozilla.org/show_bug.cgi?id=503943
+ - https://developer.mozilla.org/en/DOM/Event/UIEvent/MouseEvent
+ - Actual screen dimensions not exposed
+ - Identifier Storage
+ - Content Secuity Properties may need clearing:
+ - https://developer.mozilla.org/en/Security/CSP
+ - STS cache needs clearing
+ - New window.history functions may allow state smuggling
+ - https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history
+
+- New Javascript hooking options may help improve Date() hooks:
+ - https://developer.mozilla.org/en/JavaScript/New_in_JavaScript/1.8.5
More information about the tor-commits
mailing list