To use the redirects defined on the manifest, the app has to be certified or privileged. Certified apps are only distributed as part of a build (so for end users that means they're only distributed by the OEM), and privileged apps have to be vetoed and signed by Mozilla.
So although the code doesn't forbid you to do exactly what you say and steal all the redirects, in practice such a redirect wouldn't be signed by Mozilla/distributed by the OEM and so that code will only run on the apps you sideload to your own phone. And on those, you can do whatever you want (since it's your phone and your app :)). Best, Antonio On 05/04/2015 23:56, AJ ONeal (Home) wrote: I guess that would only be an issue if I opened a webview from the app, had the user login to the vulnerable site to login, and then proceeded with the implcit grant attack in an iframe. Seems like the attack vector is very slim assuming all of the cacheable dynamic data (cookie, localStorage, and indexeddb) are scoped for each page visit separately in my app and the browser app. AJ ONeal On Sun, Apr 5, 2015 at 3:35 PM, AJ ONeal (Home) <coola...@gmail.com<mailto:coola...@gmail.com>> wrote: Isn't it a gaping wide security hole to allow me to steal redirects from any domain? For example, I could start the implicit login strategy for some consumer (like imgur.com<http://imgur.com>) and set the redirect to be at that domain. Then the provider (say facebook.com<http://facebook.com>) will check the redirect_uri according to the security rules of the consumer app (imgur). That security check will pass and then FxOS will steal the redirect and provide me with the token that was intended for imgur. Shouldn't this be restricted to something like https://<<installation-scoped-app-id>>.<<app-id>>.example.com<http://example.com>? That way I could allow *.<<app-id>>.example.com<http://example.com> in the provider settings for the app and I would not be able to steal redirects. I may not have thought it through fully, but I'm working on some oauth stuff right now where I just implemented domain checking and was considering possible attacks against browser strategies on various platforms. AJ ONeal On Sun, Mar 22, 2015 at 7:24 PM, Andrew Sutherland <asutherl...@asutherland.org<mailto:asutherl...@asutherland.org>> wrote: On 03/22/2015 08:54 PM, AJ ONeal (Home) wrote: I'm building an OAuth2 browser auth dialog in FxOS 2.0.0 and following the instructions here: https://developer.mozilla.org/en-US/Apps/Build/Manifest#redirects According to the implementation at https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#435 your app needs to be privileged or certified for the redirect mechanism to be honored. This might be the problem. If not, the email app used redirects without the "browser" privilege when it first added gmail oauth2 support. The pull request for that is at https://github.com/mozilla-b2g/gaia/pull/23800. We subsequently changed to use "browser" like the calendar app so we could clear the cookies (see https://bugzilla.mozilla.org/show_bug.cgi?id=1069412#c4) for privacy reasons. That bug also includes some other important changes, so don't rely on that one pull request for anything more than to look at something that worked for redirect purposes :) The contacts app (under apps/communications) also does oauth2. Andrew _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org<mailto:dev-b2g@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-b2g ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
_______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g