2021-05-25 12:13:29 +03:00
|
|
|
Security aspects of the Remote Agent
|
2019-09-12 14:39:13 +03:00
|
|
|
====================================
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
The Remote Agent is not a web-facing feature and as such has different
|
2019-09-12 14:39:13 +03:00
|
|
|
security characteristics than traditional web platform APIs. The
|
|
|
|
primary consumers are out-of-process programs that connect to the
|
|
|
|
agent via a remote protocol, but can theoretically be extended to
|
|
|
|
facilitate browser-local clients communicating over IPDL.
|
|
|
|
|
|
|
|
|
|
|
|
Design considerations
|
|
|
|
---------------------
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
The Remote Agent allows consumers to interface with Firefox through
|
2019-09-12 14:39:13 +03:00
|
|
|
an assorted set of domains for inspecting the state and controlling
|
|
|
|
execution of documents running in web content, injecting arbitrary
|
|
|
|
scripts to documents, do browser service instrumentation, simulation
|
|
|
|
of user interaction for automation purposes, and for subscribing
|
|
|
|
to updates in the browser such as network- and console logs.
|
|
|
|
|
|
|
|
The remote interfaces are served over an HTTP wire protocol, by a
|
|
|
|
server listener hosted in the Firefox binary. This can only be
|
2020-10-07 16:50:57 +03:00
|
|
|
started by passing the `--remote-debugging-port`
|
|
|
|
flag. Connections are by default restricted to loopback devices
|
2019-09-12 14:39:13 +03:00
|
|
|
(such as localhost and 127.0.0.1), but this can be overridden with
|
|
|
|
the `remote.force-local` preference.
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
Since the Remote Agent is not an in-document web feature, the
|
2019-09-12 14:39:13 +03:00
|
|
|
security concerns we have for this feature are essentially different
|
|
|
|
to other web platform features. The primary concern is that the
|
|
|
|
HTTPD is not spun up without passing one of the command-line flags.
|
|
|
|
It is out perception that if a malicious user has the capability
|
|
|
|
to execute arbitrary shell commands, there is little we can do to
|
|
|
|
prevent the browser being turned into an evil listening device.
|
|
|
|
|
|
|
|
|
|
|
|
User privacy concerns
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
There are no user privacy concerns beyond the fact that the offered
|
|
|
|
interfaces will give the client access to all browser internals,
|
|
|
|
and thereby follows all browser-internal secrets.
|
|
|
|
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
How the Remote Agent works
|
2019-09-12 14:39:13 +03:00
|
|
|
--------------------------
|
|
|
|
|
2020-10-07 16:50:57 +03:00
|
|
|
When the `--remote-debugging-port` flag is used,
|
|
|
|
it spins up an HTTPD on the desired port, or defaults to
|
2019-09-12 14:39:13 +03:00
|
|
|
localhost:9222. The HTTPD serves WebSocket connections via
|
|
|
|
`nsIWebSocket.createServerWebSocket` that clients connect to in
|
|
|
|
order to give the agent remote instructions.
|
|
|
|
|
|
|
|
The `remote.force-local` preference controls whether the HTTPD
|
|
|
|
accepts connections from non-loopback clients. System-local loopback
|
|
|
|
connections are the default:
|
|
|
|
|
|
|
|
if (Preferences.get(FORCE_LOCAL) && !LOOPBACKS.includes(host)) {
|
|
|
|
throw new Error("Restricted to loopback devices");
|
|
|
|
}
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
The Remote Agent implements a large subset of the Chrome DevTools
|
2019-09-12 14:39:13 +03:00
|
|
|
Protocol (CDP). This protocol allows a client to:
|
|
|
|
|
|
|
|
- take control over the user session for automation purposes, for
|
|
|
|
example to simulate user interaction such as clicking and typing;
|
|
|
|
|
|
|
|
- instrument the browser for analytical reasons, such as intercepting
|
|
|
|
network traffic;
|
|
|
|
|
|
|
|
- and extract information from the user session, including cookies
|
|
|
|
and local strage.
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
There are no web-exposed features in the Remote Agent whatsoever.
|
2019-09-12 14:39:13 +03:00
|
|
|
|
|
|
|
|
|
|
|
Security model
|
|
|
|
--------------
|
|
|
|
|
|
|
|
It shares the same security model as DevTools and Marionette, in
|
2021-05-25 12:13:29 +03:00
|
|
|
that there is no other mechanism for enabling the Remote Agent than
|
2019-09-12 14:39:13 +03:00
|
|
|
by passing a command-line flag.
|
|
|
|
|
2019-11-25 13:06:12 +03:00
|
|
|
It is our assumption that if an attacker has shell access to the
|
2019-09-12 14:39:13 +03:00
|
|
|
user account, there is little we can do to prevent secrets from
|
|
|
|
being accessed or leaked.
|
|
|
|
|
2021-05-25 12:13:29 +03:00
|
|
|
The Remote Agent is available on all release channels.
|
2021-05-17 23:20:15 +03:00
|
|
|
The [security review] was completed in November 2019.
|
2019-09-12 14:39:13 +03:00
|
|
|
|
2019-12-02 18:39:51 +03:00
|
|
|
|
|
|
|
[security review]: https://bugzilla.mozilla.org/show_bug.cgi?id=1542229
|