AMO getting serious about add-on security

Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.

One particularly sore point are RSS feed reader extensions, every time I look into one I find security issues. In my understanding, an extension that regularly deals with untrusted content from the web should implement two security mechanisms:

  • Input sanitizing: remove any potentially dangerous content from the RSS feeds, particularly make sure no active content (JavaScript, Flash etc.) is allowed. Blacklist approaches like “allow everything but SCRIPT and OBJECT tags” aren’t worth anything because with something as powerful as HTML they are always easy to circumvent. It has to be a whitelist approach, there should be a list of tags and attributes that are allowed and everything else would be removed. Fortunately, nobody needs to implement this from scratch, Firefox already has the code necessary built-in and uses it for feed display rather successfully.
  • Just in case that the input sanitizer fails the feed reader should display the feed content in unprivileged context and establish a security boundary between it and browser’s chrome. I’ve written about this before.

With these two mechanisms the extension would be very unlikely to expose a security hole due to a developer mistake. Sadly, I’ve yet to see an RSS feed reader that would implement both, most didn’t even implement one properly. I hope this will change now.

Update (2009-11-20): Ouch, for Sage this comes too late. I filed a bug on this vulnerability in June 2008. So much on “We will be rewriting the sanitizer to use the Gecko parser” (the famous last words).


  • ecjs

    Good to hear: I’m not going to install one till there is more actions done about it.

  • alr

    By default, NewsFox has a text only display option that disables HTML. Would using this RSS add-on with text only be secure?

    Wladimir Palant

    I looked through the source code briefly – no, I’m everything but sure about that. NewsFox doesn’t have a security boundary and its input sanitizing is rather “adventurous”, from the look of it there might be cases where text-only display won’t help.

    Wladimir Palant

    I noticed a comment in the source code: “display using innerHTML to resolve security issues pointed out by Wladimir Palant”. My memory failed me, apparently I already reported a security issue in NewsFox back in 2006 :) But I certainly didn’t suggest using innerHTML.

  • Havvy

    When talking about bugs, linking to them is useful. ;)

    Wladimir Palant

    Not very useful in this case – they are all marked as security-sensitive, you won’t be able to view them.

  • LorenzoC

    What do you think about “JetPack”?

    Wladimir Palant

    It certainly helps for simple extensions – but won’t resolve the security issues.