summaryrefslogtreecommitdiffstats
path: root/remote/doc/Security.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--remote/doc/Security.md99
1 files changed, 99 insertions, 0 deletions
diff --git a/remote/doc/Security.md b/remote/doc/Security.md
new file mode 100644
index 0000000000..6f95ac9463
--- /dev/null
+++ b/remote/doc/Security.md
@@ -0,0 +1,99 @@
+Security aspects of the remote agent
+====================================
+
+The remote agent is not a web-facing feature and as such has different
+security characteristics than traditional web platform APIs. The
+primary consumers are out-of-process programs that connect to the
+agent via a remote protocol, but can theoretically be extended to
+facilitate browser-local clients communicating over IPDL.
+
+
+Design considerations
+---------------------
+
+The remote agent allows consumers to interface with Firefox through
+an assorted set of domains for inspecting the state and controlling
+execution of documents running in web content, injecting arbitrary
+scripts to documents, do browser service instrumentation, simulation
+of user interaction for automation purposes, and for subscribing
+to updates in the browser such as network- and console logs.
+
+The remote interfaces are served over an HTTP wire protocol, by a
+server listener hosted in the Firefox binary. This can only be
+started by passing the `--remote-debugging-port`
+flag. Connections are by default restricted to loopback devices
+(such as localhost and 127.0.0.1), but this can be overridden with
+the `remote.force-local` preference.
+
+The feature as a whole is guarded behind the `remote.enabled`
+preference. This preference serves as a way to gate the remote
+agent component through release channels, and potentially for
+remotely disabling the remote agent through Normandy if the need
+should arise.
+
+Since the remote agent is not an in-document web feature, the
+security concerns we have for this feature are essentially different
+to other web platform features. The primary concern is that the
+HTTPD is not spun up without passing one of the command-line flags.
+It is out perception that if a malicious user has the capability
+to execute arbitrary shell commands, there is little we can do to
+prevent the browser being turned into an evil listening device.
+
+
+User privacy concerns
+---------------------
+
+There are no user privacy concerns beyond the fact that the offered
+interfaces will give the client access to all browser internals,
+and thereby follows all browser-internal secrets.
+
+
+How the remote agent works
+--------------------------
+
+When the `--remote-debugging-port` flag is used,
+it spins up an HTTPD on the desired port, or defaults to
+localhost:9222. The HTTPD serves WebSocket connections via
+`nsIWebSocket.createServerWebSocket` that clients connect to in
+order to give the agent remote instructions.
+
+The `remote.force-local` preference controls whether the HTTPD
+accepts connections from non-loopback clients. System-local loopback
+connections are the default:
+
+ if (Preferences.get(FORCE_LOCAL) && !LOOPBACKS.includes(host)) {
+ throw new Error("Restricted to loopback devices");
+ }
+
+The remote agent implements a large subset of the Chrome DevTools
+Protocol (CDP). This protocol allows a client to:
+
+ - take control over the user session for automation purposes, for
+ example to simulate user interaction such as clicking and typing;
+
+ - instrument the browser for analytical reasons, such as intercepting
+ network traffic;
+
+ - and extract information from the user session, including cookies
+ and local strage.
+
+There are no web-exposed features in the remote agent whatsoever.
+
+
+Security model
+--------------
+
+It shares the same security model as DevTools and Marionette, in
+that there is no other mechanism for enabling the remote agent than
+by passing a command-line flag.
+
+It is our assumption that if an attacker has shell access to the
+user account, there is little we can do to prevent secrets from
+being accessed or leaked.
+
+The preference `remote.enabled` is true on the Firefox Nightly
+release channel. The [security review] was completed in November
+2019.
+
+
+[security review]: https://bugzilla.mozilla.org/show_bug.cgi?id=1542229