AMO getting serious about add-on security · 2009-11-14 15:36 by Wladimir Palant
Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.
One particularly sore point are RSS feed reader extensions, every time I look into one I find security issues. In my understanding, an extension that regularly deals with untrusted content from the web should implement two security mechanisms:
- Just in case that the input sanitizer fails the feed reader should display the feed content in unprivileged context and establish a security boundary between it and browser’s chrome. I’ve written about this before.
With these two mechanisms the extension would be very unlikely to expose a security hole due to a developer mistake. Sadly, I’ve yet to see an RSS feed reader that would implement both, most didn’t even implement one properly. I hope this will change now.
Update (2009-11-20): Ouch, for Sage this comes too late. I filed a bug on this vulnerability in June 2008. So much on “We will be rewriting the sanitizer to use the Gecko parser” (the famous last words).
Commenting is closed for this article.