Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.
One particularly sore point are RSS feed reader extensions, every time I look into one I find security issues. In my understanding, an extension that regularly deals with untrusted content from the web should implement two security mechanisms:
- Just in case that the input sanitizer fails the feed reader should display the feed content in unprivileged context and establish a security boundary between it and browser’s chrome. I’ve written about this before.
With these two mechanisms the extension would be very unlikely to expose a security hole due to a developer mistake. Sadly, I’ve yet to see an RSS feed reader that would implement both, most didn’t even implement one properly. I hope this will change now.
Update (2009-11-20): Ouch, for Sage this comes too late. I filed a bug on this vulnerability in June 2008. So much on “We will be rewriting the sanitizer to use the Gecko parser” (the famous last words).