On 8/29/13 4:51 PM, Monica Chew wrote:
Many have this idea that Firefox should be able to take support/health
data and "self heal." e.g. we take the set of installed addons, compare
it against a blacklist (or possibly a graylist of
not-quite-banned-but-discouraged e.g. performance-sucking) and
automatically take action.
I think this is a great idea, and I strongly support the necessary APIs for
self-healing. Misbehaving addons have a huge impact on Firefox security. Even
though the blocklist ping supports disabling misbehaving addons, being able to
revert hijacked preferences (such as search) would be a huge benefit.
With the multitude of 0-days that come out on a regular basis, it would be
great to have more options way to prevent users from getting owned by making it
more difficult to ignore updates, as well.
So, that's another opinion for you. If you have a documented list of APIs that
you want to support, it would make it easier to discuss.
The only API firmly on the table currently is disableAddon(name). It
takes the identifier of a presumably installed add-on (extension,
plugin, etc) and disables it via the Addon Manager.
Close behind it in priority we'll want APIs to read/modify some key
preferences, such as hardware acceleration. I'd prefer open ended
getPref(pref) setPref(pref, value) APIs (so the trusted content can roll
out new detections and self-healing features without waiting for the
browser to implement an API tailored for a single pref). But if we have
to limit things, we have to limit things.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
