Improve code protection policy - allow remote code WITH precheck of CODE

Proposal for Secure Remote Code Handling in Browser Extensions

Issue:

I have developed complex automation plugins that involve significant effort and intellectual property. However, distributing these extensions exposes substantial parts of the code, allowing competitors to potentially copy and misuse it. This situation highlights the need for a better approach to secure remote code within extensions while protecting intellectual property.

Proposal:

I propose a structured method for managing remote code in extensions, incorporating verification, obfuscation, and encryption to enhance security and protect intellectual property.

  1. Extension Package Structure

When submitting an extension for signing, the package will include two primary components:

Local Extension Code: The code that is part of the XPI package.
Remote Code Settings: Instructions and references related to the remote code.
  1. XPI Extension Code Structure

The standard structure for the XPI package includes:

XPI Extension Code/
├── background-scripts/
├── content-scripts/
├── manifest.json

  1. Remote Code Structure

The remote code details are submitted as part of the signing process but are not included in the final XPI package. Instead, a settings.json file references the remote code structure:

Remote Code/
├── settings.json
├── background-scripts/
├── content-scripts/

Detailed Breakdown of settings.json

Before Signing:

{
“obfuscation_library”: “library_name”,
“obfuscation_params”: {
“param1”: “value1”,
“param2”: “value2”
},
“remote_code_files”: [
{
“filename”: “background-script.js”,
“url”: “https://your-server.com/scripts/background-script.js
},
{
“filename”: “content-script.js”,
“url”: “https://your-server.com/scripts/content-script.js
}
]
}

After Signing:

{
“remote_code_files”: [
{
“filename”: “background-script.js”,
“url”: “https://your-server.com/scripts/background-script.js”,
“md5”: “qwertyuiopasdfgh”
},
{
“filename”: “content-script.js”,
“url”: “https://your-server.com/scripts/content-script.js”,
“md5”: “asdfghjklzxcvbnm”
}
]
}

Process Workflow

Submission for Signing:
    Developers submit the full package, including both local XPI extension code and remote code.
    The settings.json file includes details about the obfuscation library, parameters, and URLs for remote code files.

Obfuscation and MD5 Generation:
    Mozilla takes the code in the remote directory 
    Mozilla then obfuscates the code using the specified library and settings.
    MD5 hashes are generated for each obfuscated file.
    The settings.json file is updated with these MD5 hashes before finalizing the signing process.

Final Package Composition:
    After signing, the remote code itself is removed from the XPI package.
    The final XPI package will include:
        The local extension code.
        The Remote Code directory with settings.json, which contains the updated MD5 hashes.

Runtime Operation:
    The extension fetches remote code based on the URLs specified in settings.json.
    It computes MD5 hashes of fetched files and compares them with the hashes stored in settings.json to verify code integrity before execution.

Security and Integrity

Protection of Intellectual Property: Remote code is verified via MD5 hashes and protected by obfuscation (encrypting would be also nice but thats for later)
Flexibility for Updates: Developers can update remote code by resubmitting the extension for signing. Any changes to remote code require a new submission to ensure code integrity.
Maintained Security: MD5 hashes ensure that any remotely executed code matches the verified and signed code.

Developer and User Benefits

Secured Execution Environment: Ensures that only authorized and verified remote code is executed, preserving both security and code integrity.
Ease of Management: Developers can securely manage remote code without exposing it in the final XPI package, reducing the risk of intellectual property theft.
Controlled Updates: Allows developers to update remote code by resubmitting the extension, ensuring that any changes are verified and signed.

This would allow control over who gets the code, e.g. authenticated users, logged and tracked etc

Issues:

Some of the remote code may have injected variables e.g. user name from a server say from a rails app then serving the code with modifications - so yes some will complain…

Thoughts? Don’t shoot this down - try to think objectively about how we can commercialize plugins later on this way

Or SHA-256 for better security, less collisions etc - the idea still stays the same

Please don’t format regular text as code (single/triple backticks).
Code lines don’t wrap, so the readers have to scroll many times to read the entire text.

But:
Formatting JSON as code is helpful, because it preserves the indentation.

Hello @adnexius. I will pass your proposal along, but currently I don’t believe remote code execution is allowed at all.