diff options
Diffstat (limited to 'remote/doc/Security.md')
-rw-r--r-- | remote/doc/Security.md | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/remote/doc/Security.md b/remote/doc/Security.md new file mode 100644 index 0000000000..848a63fd45 --- /dev/null +++ b/remote/doc/Security.md @@ -0,0 +1,112 @@ +# Security aspects of the Remote Agent + +The Remote Agent is not a web-facing feature and as such has different +security characteristics than traditional web platform APIs. The +primary consumers are out-of-process programs that connect to the +agent via a remote protocol, but can theoretically be extended to +facilitate browser-local clients communicating over IPDL. + +## Design considerations + +The Remote Agent allows consumers to interface with Firefox through +an assorted set of domains for inspecting the state and controlling +execution of documents running in web content, injecting arbitrary +scripts to documents, do browser service instrumentation, simulation +of user interaction for automation purposes, and for subscribing +to updates in the browser such as network- and console logs. + +The remote interfaces are served over an HTTP wire protocol, by a +server listener hosted in the Firefox binary. This can only be +started by passing the `--remote-debugging-port` +flag. Connections are restricted to loopback devices +(such as localhost and 127.0.0.1). + +Since the Remote Agent is not an in-document web feature, the +security concerns we have for this feature are essentially different +to other web platform features. The primary concern is that the +HTTPD is not spun up without passing one of the command-line flags. +It is out perception that if a malicious user has the capability +to execute arbitrary shell commands, there is little we can do to +prevent the browser being turned into an evil listening device. + +## User privacy concerns + +There are no user privacy concerns beyond the fact that the offered +interfaces will give the client access to all browser internals, +and thereby follows all browser-internal secrets. + +## How the Remote Agent works + +When the `--remote-debugging-port` flag is used, +it spins up an HTTPD on the desired port, or defaults to +localhost:9222. The HTTPD serves WebSocket connections via +`nsIWebSocket.createServerWebSocket` that clients connect to in +order to give the agent remote instructions. Hereby the HTTPD only +accepts system-local loopback connections from clients: + +```javascript +if (!LOOPBACKS.includes(host)) { + throw new Error("Restricted to loopback devices"); +} +``` + +The Remote Agent implements a large subset of the Chrome DevTools +Protocol (CDP). This protocol allows a client to: + +* take control over the user session for automation purposes, for + example to simulate user interaction such as clicking and typing; + +* instrument the browser for analytical reasons, such as intercepting + network traffic; + +* and extract information from the user session, including cookies + and local storage. + +There are no web-exposed features in the Remote Agent whatsoever. + +## Security model + +It shares the same security model as DevTools and Marionette, in +that there is no other mechanism for enabling the Remote Agent than +by passing a command-line flag. + +It is our assumption that if an attacker has shell access to the +user account, there is little we can do to prevent secrets from +being accessed or leaked. + +The Remote Agent is available on all release channels. + +## Remote Hosts and Origins + +By default RemoteAgent only accepts connections with no `Origin` header and a +`Host` header set to an IP address or a localhost loopback address. + +Other `Host` or `Origin` headers can be allowed by starting Firefox with the +`--remote-allow-origins` and `--remote-allow-hosts` arguments: + +* `--remote-allow-hosts` expects a comma separated list of hostnames + +* `--remote-allow-origins` expects a comma separated list of origins + +Note: Users are strongly discouraged from using the Remote Agent in a way that +allows it to be accessed by untrusted hosts e.g. by binding it to a publicly +routeable interface. + +The Remote Agent does not provide message encryption, which means that all +protocol messages are subject to eavesdropping and tampering. It also does not +provide any authentication system. This is acceptable in an isolated test +environment, but not to be used on an untrusted network such as the internet. +People wishing to provide remote access to Firefox sessions via the Remote Agent +must provide their own encryption, authentication, and authorization. + +## Security reviews + +More details can be found in the security reviews conducted for Remote Agent and +WebDriver BiDi: + +* [Remote Agent security review] (November 2019) + +* [WebDriver BiDi security review] (April 2022) + +[Remote Agent security review]: https://bugzilla.mozilla.org/show_bug.cgi?id=1542229 +[WebDriver BiDi security review]: https://bugzilla.mozilla.org/show_bug.cgi?id=1753997 |