I agree - I don't know the marionette protocol all that well but it may not be
that hard. The main difference as I understand between debugger and marionette
is that marionette has Marionette.switch_context('chrome'). Might need some
initial mitigations for that feature (since it is literally root access), but
maybe we can probably take a similar approach to what we are doing with
debugger ( i.e. clear all sensitive app data before enabling feature).
On Sep 10, 2013, at 9:56 PM, David Burns wrote:
> Its not in production builds yet but we should eventually get there since how
> would an App developer be able to test their app? I appreciate there are a
> number of HUGE security and privacy issues that need to be overcome but I
> think it should still be on the table even if for a later date.
>
> David
>
> On 10/09/2013 19:57, Paul Theriault wrote:
>> Marionette isn't provided on production builds (unless that is what you are
>> proposing). Developer builds have root access enabled so not an issue I
>> think.
>>
>> Marionette is actually equivalent to root, not just similar to root (since
>> it can execute chrome code, not just code in the system app). So I don't
>> think we would ship marionette on any phone that we prevent root access on.
>>
>> On Sep 10, 2013, at 8:38 PM, David Burns wrote:
>>
>>> How would this security model work with Marionette since Marionette needs
>>> to access different apps according to what the user wants to do.
>>>
>>> We go in through a similar route to the remote debugger into the device(we
>>> are just a different actor)
>>>
>>> David
>>>
>>> On 10/09/2013 16:29, Paul Theriault wrote:
>>>> (bcc dev-gaia)
>>>>
>>>> I have been discussing the security implications of remote debugging with
>>>> a number of people and I wanted to through the question out to a wider
>>>> audience. Remote debugging allows access to read any data in app and as
>>>> such has implications for the scenario of when a user loses their phone.
>>>>
>>>> Do we want to allow the remote debugger to connect to any app?
>>>>
>>>> My proposal is that, for production devices, you should only be allowed to
>>>> debug the apps you are developing. That is, the remote debugger will only
>>>> connect to web apps and privileged apps pushed to the device via the
>>>> simulator. It will _not_ connect to certified apps, or signed privileged
>>>> apps installed from the store. The only exception to this i can think of
>>>> is we probably support remote debugging of tabs within the browser app
>>>> (and possibly bookmarked web pages opened by the system app).
>>>>
>>>> For developer builds, the remote debugger would connect to any app.
>>>>
>>>> Thoughts on this proposal?
>>>>
>>>> - Paul
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> dev-b2g mailing list
>>>> [email protected]
>>>> https://lists.mozilla.org/listinfo/dev-b2g
>>>
>>
>
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
