1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
Script Security
===============
.. container:: summary
This page provides an overview of the script security architecture in
Gecko.
Like any web browser, Gecko can load JavaScript from untrusted and
potentially hostile web pages and run it on the user's computer. The
security model for web content is based on the `same-origin policy
<https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy>`__,
in which code
gets full access to objects from its origin but highly restricted access
to objects from a different origin. The rules for determining whether an
object is same-origin with another, and what access is allowed
cross-origin, are now mostly standardized across browsers.
Gecko has an additional problem, though: while its core is written in
C++, the front-end code is written in JavaScript. This JavaScript code,
which is commonly referred to as c\ *hrome code*, runs with system
privileges. If the code is compromised, the attacker can take over the
user's computer. Legacy SDK extensions also run with chrome privileges.
Having the browser front end in JavaScript has benefits: it can be much
quicker to develop in JavaScript than in C++, and contributors do not
need to learn C++. However, JavaScript is a highly dynamic, malleable
language, and without help it's difficult to write system-privileged
code that interacts safely with untrusted web content. From the point of
view of chrome code, the script security model in Gecko is intended to
provide that help to make writing secure, system-privileged JavaScript a
realistic expectation.
.. _Security_policy:
Security policy
---------------
Gecko implements the following security policy:
- **Objects that are same-origin** are able to access each other
freely. For example, the objects associated with a document served
from *https://example.org/* can access each other, and they can also
access objects served from *https://example.org/foo*.
- **Objects that are cross-origin** get highly restricted access to
each other, according to the same-origin policy.
For example, code served from *https://example.org/* trying to access
objects from *https://somewhere-else.org/* will have restricted
access.
- **Objects in a privileged scope** are allowed complete access to
objects in a less privileged scope, but by default they see a
`restricted view <#privileged-to-unprivileged-code>`__
of such objects, designed to prevent them from being tricked by the
untrusted code. An example of this scope is chrome-privileged
JavaScript accessing web content.
- **Objects in a less privileged scope** don't get any access to
objects in a more privileged scope, unless the more privileged scope
`explicitly clones those objects <#unprivileged-to-privileged-code>`__.
An example of this scope is web content accessing objects in a
chrome-privileged scope.
.. _Compartments:
Compartments
------------
Compartments are the foundation for Gecko's script security
architecture. A compartment is a specific, separate area of memory. In
Gecko, there's a separate compartment for every global object. This
means that each global object and the objects associated with it live in
their own region of memory.
.. image:: images/compartments.png
Normal content windows are globals, of course, but so are chrome
windows, sandboxes, workers, the ``ContentFrameMessageManager`` in a frame
script, and so on.
Gecko guarantees that JavaScript code running in a given compartment is
only allowed to access objects in the same compartment. When code from
compartment A tries to access an object in compartment B, Gecko gives it
a *cross-compartment wrapper*. This is a proxy in compartment A for the
real object, which lives in compartment B.
.. image:: images/cross-compartment-wrapper.png
Inside the same compartment, all objects share a global and are
therefore same-origin with each other. Therefore there's no need for any
security checks, there are no wrappers, and there is no performance
overhead for the common case of objects in a single window interacting
with each other.
Whenever cross-compartment access happens, the wrappers enable us to
implement the appropriate security policy. Because the wrapper we choose
is specific to the relationship between the two compartments, the
security policy it implements can be static: when the caller uses the
wrapper, there's no need to check who is making the call or where it is
going.
.. _Cross-compartment_access:
Cross-compartment access
------------------------
.. _Same-origin:
Same-origin
~~~~~~~~~~~
As we've already seen, the most common scenario for same-origin access
is when objects belonging to the same window object interact. This all
takes place within the same compartment, with no need for security
checks or wrappers.
When objects share an origin but not a global - for example two web
pages from the same protocol, port, and domain - they belong to two
different compartments, and the caller gets a *transparent wrapper* to
the target object.
.. image:: images/same-origin-wrapper.png
Transparent wrappers allow access to all the target's properties:
functionally, it's as if the target is in the caller's compartment.
.. _Cross-origin:
Cross-origin
~~~~~~~~~~~~
If the two compartments are cross-origin, the caller gets a
*cross-origin wrapper*.
.. image:: images/cross-origin-wrapper.png
This denies access to all the object's properties, except for a few
properties of Window and Location objects, as defined by
the `same-origin
policy <https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#cross-origin_script_api_access>`__.
.. _Privileged_to_unprivileged_code:
Privileged to unprivileged code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The most obvious example of this kind of security relation is between
system-privileged chrome code and untrusted web content, but there are
other examples in Gecko. The Add-on SDK runs content scripts in
sandboxes, which are initialized with an `expanded
principal <#expanded-principal>`__,
giving them elevated privileges with respect to the web content they
operate on, but reduced privileges with respect to chrome.
If the caller has a higher privilege than the target object, the caller
gets an *Xray wrapper* for the object.
.. image:: images/xray-wrapper.png
Xrays are designed to prevent untrusted code from confusing trusted code
by redefining objects in unexpected ways. For example, privileged code
using an Xray to a DOM object sees only the original version of the DOM
object. Any expando properties are not visible, and if any native DOM properties have been
redefined, they are not visible in the Xray.
The privileged code is able to waive Xrays if it wants unfiltered access to the untrusted object.
See `Xray vision <xray_vision.html>`__ for much more information on Xrays.
.. _Unprivileged_to_privileged_code:
Unprivileged to privileged code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the caller has lower privileges than the target object, then the
caller gets an *opaque wrapper.*
.. image:: images/opaque-wrapper.png
An opaque wrapper denies all access to the target object.
However, the privileged target is able to copy objects and functions
into the less privileged scope using the ``exportFunction()`` and
``cloneInto()`` functions, and the less privileged scope is then able
to use them.
.. _Security_checks:
Security checks
---------------
To determine the security relation between two compartments, Gecko uses
two concepts: *security principals* and the act of *subsuming*. To
establish the security relationship between two compartments A and B,
Gecko asks:
*Does the security principal for compartment A subsume the security
principal for compartment B, and vice versa?*
.. _Subsumes:
Subsumes
~~~~~~~~
+-----------------------------------+-----------------------------------+
| *A subsumes B* | A has all of the privileges of B, |
| | and possibly more, and therefore |
| | A is allowed to see and do |
| | anything that B can see and do. |
+-----------------------------------+-----------------------------------+
| *A Subsumes B &&* *B Subsumes A* | A and B are same-origin. |
+-----------------------------------+-----------------------------------+
| *A Subsumes B && B !Subsumes A* | A is more privileged than B. |
| | |
| | A gets access to all of B, by |
| | default with Xray vision, which |
| | it may choose to waive. |
| | |
| | B gets no access to A, although A |
| | may choose to export objects to |
| | B. |
+-----------------------------------+-----------------------------------+
| *A !Subsumes B && B !Subsumes A* | A and B are cross-origin. |
+-----------------------------------+-----------------------------------+
.. _Security_principals:
Security principals
~~~~~~~~~~~~~~~~~~~
There are four types of security principal: the system principal,
content principals, expanded principals, and the null principal.
.. _System_principal:
System principal
^^^^^^^^^^^^^^^^
The system principal passes all security checks. It subsumes itself and
all other principals. Chrome code, by definition, runs with the system
principal, as do frame scripts.
.. _Content_principal:
Content principal
^^^^^^^^^^^^^^^^^
A content principal is associated with some web content and is defined
by the origin
of the content. For example, a normal DOM window has a content principal
defined by the window's origin. A content principal subsumes only other
content principals with the same origin. It is subsumed by the system
principal, any expanded principals that include its origin, and any
other content principals with the same origin.
.. _Expanded_principal:
Expanded principal
^^^^^^^^^^^^^^^^^^
An expanded principal is specified as an array of origins:
.. code::
["http://mozilla.org", "http://moz.org"]
The expanded principal subsumes every content principal it contains. The
content principals do not subsume the expanded principal, even if the
expanded principal only contains a single content principal.
Thus ``["http://moz.org"]`` subsumes ``"http://moz.org"`` but not vice
versa. The expanded principal gets full access to the content principals
it contains, with Xray vision by default, and the content principals get
no access to the expanded principal.
This also enables the script security model to treat compartments that
have expanded principals more like part of the browser than like web
content. This means, for example, that it can run when JavaScript is
disabled for web content.
Expanded principals are useful when you want to give code extra
privileges, including cross-origin access, but don't want to give the
code full system privileges. For example, expanded principals are used
in the Add-on SDK to give content scripts cross-domain privileges for a predefined set of
domains,
and to protect content scripts from access by untrusted web content,
without having to give content scripts system privileges.
.. _Null_principal:
Null principal
^^^^^^^^^^^^^^
The null principal fails almost all security checks. It has no
privileges and can't be accessed by anything but itself and chrome. It
subsumes no other principals, even other null principals. (This is what
is used when HTML5 and other specs say "origin is a globally unique
identifier".)
.. _Principal_relationships:
Principal relationships
~~~~~~~~~~~~~~~~~~~~~~~
The diagram below summarizes the relationships between the different
principals. The arrow connecting principals A and B means "A subsumes
B". (A is the start of the arrow, and B is the end.)
.. image:: images/principal-relationships.png
.. _Computing_a_wrapper:
Computing a wrapper
-------------------
The following diagram shows the factors that determine the kind of
wrapper that compartment A would get when trying to access an object in
compartment B.
.. image:: images/computing-a-wrapper.png
|