Is the purpose of the Add-on SDK+Builder for Security?

<<

crazycoder2000

Posts: 48

Joined: Fri Mar 16, 2012 11:07 am

Post Thu Apr 26, 2012 2:42 pm

Is the purpose of the Add-on SDK+Builder for Security?

I was just interested to know what caused the birth of the Add-on SDK and Builder code. Was it to make code that was a lot less exploitable by malware authors or just code that was quicker to learn or something else? Interested in why it was created and if it's purpose is to replace completely the XUL code of which I know almost nothing at this point.

Al
<<

iann

Posts: 857

Joined: Thu Sep 16, 2010 12:56 pm

Post Thu Apr 26, 2012 3:46 pm

Re: Is the purpose of the Add-on SDK+Builder for Security?

It was all of the above in varying degrees. Overlay-based addons can do anything up to and including rewriting a large proportion of Firefox. The risks are obvious, but it also makes it impossible to determine where Firefox ends and any or all addons begin, both for the purposes of monitoring them and potentially to allow separation into separate threads or processes. The SDK provides a fixed API between Firefox and the addon that both allows them to be distinguished and to limit the things they can do that might be dangerous. It also is a step in the direction of a true multi-process Firefox, something which overlay-based addons just don't do because they are by definition part of the main thread. Although the SDK provides methods for stepping outside the provided API, these must be explicitly requested and so are easy to detect by reviewers and potentially control in the future.
<<

crazycoder2000

Posts: 48

Joined: Fri Mar 16, 2012 11:07 am

Post Fri Apr 27, 2012 9:44 am

Re: Is the purpose of the Add-on SDK+Builder for Security?

It makes a lot of sense to do these things. I guess there will always be a cat and mouse game with the malware crowd, but at least its better to be a hard target than easy prey. Maybe one day the battle will be won for security and privacy, the general public need it.
<<

iann

Posts: 857

Joined: Thu Sep 16, 2010 12:56 pm

Post Fri Apr 27, 2012 11:57 am

Re: Is the purpose of the Add-on SDK+Builder for Security?

BTW, Mozilla has explicitly stated that the SDK is not intended to replace the more traditional overlay-based addons, although not everyone is 100% reassured.
<<

wbamberg

Posts: 233

Joined: Thu Jun 23, 2011 4:08 pm

Post Fri Apr 27, 2012 1:15 pm

Re: Is the purpose of the Add-on SDK+Builder for Security?

Also, if you're interested: I wrote a blog post a while back outlining some of the security mechanisms in the SDK.
<<

crazycoder2000

Posts: 48

Joined: Fri Mar 16, 2012 11:07 am

Post Sun Apr 29, 2012 7:52 am

Re: Is the purpose of the Add-on SDK+Builder for Security?

Thanks for the extra info. I am not advanced enough in programming to understand everything that the article mentions, but I can see that the additional security layering and filtering out content certainly looks well worth having to keep a lot of junk out of our systems.

I think all programmers should be encouraged to think about trying to use the SDK first, because of its security benefits if they can, to get their add-on built. This won't always be possible, but at least it would make Firefox have a smaller attack vector.

Return to Add-on SDK & Add-on Builder

Who is online

Users browsing this forum: No registered users

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
CA Gen2 style designed by Vjacheslav Trushkin.