FirefoxOS/New security model/Packaging
Privileged Content
This page details implementation of signed privileged content for FxOS. The basic properties of privileged content is that:
- they are enumerated in a manifest
- signed to prevent modification
- loaded into a unique origin which is granted special permissions(separate from other web content on the same domain)
Background: Packaged Content
bug 1036275 introduced packaged HTML content to Firefox. Packages must be served with "Content-Type: application/package" mime type.
An example of a regular package is shown below:
--gc0pJq0M:08jU534c0p Content-Location: /index.html Content-Type: text/html <html> <head> <script src="scripts/app.js"></script> ... </head> ... </html> --gc0pJq0M:08jU534c0p Content-Location: /scripts/app.js Content-Type: text/javascript module Math from '/scripts/helpers/math.js'; ... --gc0pJq0M:08jU534c0p Content-Location: /scripts/helpers/math.js Content-Type: text/javascript export function sum(nums) { ... } ... --gc0pJq0M:08jU534c0p--
Privileged Packages
The Signed Manifest
A packaged is denoted by setting a single packages header which is the signature over the first resource which MUST be the manifest, and must include a list of resources in the package, along with their hashes.
manifest-signature: MRjdkly.... (Base64 Signature over manifest content)
Package headers are specified by the w3c format and are headers which are sent inside the package, but prior to the first data part. Modifiying the above example, we get something like:
manifest-signature: MRjdkly.... (Base64 Signature) --gc0pJq0M:08jU534c0p Content-Location: /someapp.webmanifest Content-Type: application/manifest { "name": "My App", "description":"A great app!" ...
Manifest Requirements
package-identifier
Signed packages must contain a package-identifier field. The unique identifier for a signed package which is used to denote it unique for a given web origin (ie example.com!app1). NOTE: Marketplace will supply this for production packages.
permissions
We need the permissions of the signed package so in order to know what permissions to grant to the new process.
moz-resources
We add a resources section to the app manifest which enumerates content which needs to have integrity check. All resources are specified by relative URIs and meaning they must reside inside the package.
moz-package-origin
We need a field in the manifest which specifies the origin for where the package is allowed to be hosted. This needs to be checked by gecko when a package is loaded to ensure that the package hasn't been moved and re-hosted.
Example
{ "permissions": [ { "systemXHR": { "description": "Needed to download stuff" }, "devicestorage:pictures": { "description": "Need to load pictures" } } ], "moz-resources": [ { "src": "/index.html", "integrity": "sha256-kass...eoirW-e" }, { "src": "/page2.html", "integrity": "sha256-kasguie...ngeW-e" }, { "src": "/script.js", "integrity": "sha256-agjdia2...wgda" }, { "src": "/library.js", "integrity": "sha256-geijfi...ae3W" } ], "moz-package-origin":"https://example.com", "package-identifier":"6213ccd8-7d17-11e5-a6cd-fb1f39b76b9c" }