I’m blogging about the development of a new product in Mozilla, look here for my other posts in this series

PageShot, the product I’m working on, makes snapshots of the DOM (the live, dynamic web page) as it is rendered in your browser. There are a lot of security issues here. That DOM is intended to be short-lived, to only be shown to the one user, it might have links that are implicitly authenticated. For instance you can imagine a link like https://someothersite.com/delete?id=49&auth=30f83020a839e where the auth key is what gives the user permission to delete that resource; by sharing that link (which is embedded somewhere in the page) I am sharing the ability to delete something. But neither the application developer nor I as the sharer probably realize that. Generally PageShot breaks developer’s expectations, potentially creating a category of security bugs they’d never thought about.

PageShot has a lot of security implications because it tries to subvert URL sharing, where servers mediate all attempts to share outside of screenshots.

Admitting this makes me feel pretty cagey and defensive. I know there are risks, I know it’s hard to get users to understand the impact of their actions, but I want to do this thing anyway because I have a hunch these risks are worth it.

There’s another way to look at it: these are risks, but also challenges. There are many smart people at Mozilla, and of course any smart person could offer improvements. I believe in the potential for unexpected solutions to arise to challenging problems. Solutions that mitigate the security problems while preserving the value of the DOM over pixels. Solutions that help users understand the impact of what they are doing. Some category of solution I haven’t thought of. I suspect being in security can be a bummer because you often end up in the organizational role of saying no, instead of the more fun role of figuring out how to say yes.

The other thing I have to remember: all of these things are work. If PageShot is a product people find value in, then it’s worth doing that work. But we don’t know yet. So I have to figure out a way to sit on my hands, to hopefully project that this is a prototype exploring whether the idea is valuable, not a prototype to explore the implementation. And if it is valuable then the project will need help around security; and if it’s not valuable then we’ll just tear it all down without wasting too much of other people’s time.

http://www.ianbicking.org/blog/2015/12/product-journal-security.html