expose a DNS API (for MX, SRV) records, leave it to apps to use the TCP/UDP API, or leave it to servers via HTTP? (for e-mail app)

For the e-mail app we are planning to reuse Thunderbird's 
auto-configuration mechanism to facilitate account setup:
https://developer.mozilla.org/en/Thunderbird/Autoconfiguration

One of its heuristics after failing to find explicit autoconfiguration 
directives for a domain is to look up the MX entry for the domain to 
attempt to determine the hosting provider which may in turn have 
configuration information available.

There are three main ways to accomplish this for the e-mail app:

1) Expose a Web API for DNS resolution capable of providing other record 
types.

2) Have apps use the pending TCP API and/or a new UDP API to issue DNS 
queries themselves.  There is an MIT licensed node library that could be 
used as a basis for this: https://github.com/tjfontaine/node-dns

3) Don't try and run the query on the client, but instead have a 
(web)server do the query.  Because of past and current Gecko platform 
limitations, this is what Thunderbird does, but not what it wants to do 
( https://bugzilla.mozilla.org/show_bug.cgi?id=563958 ).  There is some 
promising platform work happening to address the Gecko platform 
limitation: https://bugzilla.mozilla.org/show_bug.cgi?id=735967

I understand from the bug traffic and elsewhere that XMPP clients would 
also be interested in this functionality.


The main argument in favor of such an API is the ability of the platform 
to eventually provide additional confidence in replies, such as 
performing DNSSEC validation and/or being augmented to securely ask 
other observers on the internet to confirm their lookups returned 
similar-enough values.

Potential arguments against such an API are that DNS queries can be used 
to leak information (ex: tcp-over-dns) and it might be hard to explain 
the permission and do so without being confusing/annoying. Information 
leakage would only be relevant in a tightly locked down execution model 
where an app is running without meaningful network access or in an 
attack where the attacker has managed to get some JS running in the 
app's context but CSP/other policy makes it hard for the attacker to 
exfiltrate the information to a server they control via easier means.

Andrew
0
Andrew
4/12/2012 11:41:44 PM
mozilla.dev.webapi 565 articles. 0 followers. Post Follow

0 Replies
731 Views

Similar Articles

[PageSpeed] 50

Reply:

Similar Artilces:

Exposing the browser api reference to the internal/certified apps(eg. System app) themselves?
Hi folks, Recently, some of the b2g folks are refactoring the audio channel service in [1], what we do is using the new broswer api [2] to allow/deny the audio channels, then wrap up those logic we used in gecko then re-implement it in gaia. It's a sub-module [3] directly in the System app, in theory it's capable of managing any iframe/app's audio channel which created under the System app. The problem we encountered is, we use some audio elements to play sounds in the System app, like the notification, screen reader, ringtones..., this means we also need to manage the...

Exposing the browser api reference to the internal/certified apps(eg. System app) themselves?
--089e0112c0a00641ac05153e39c8 Content-Type: text/plain; charset=UTF-8 Hi folks, Recently, some of the b2g folks are refactoring the audio channel service in [1], what we do is using the new broswer api [2] to allow/deny the audio channels, then wrap up those logic we used in gecko then re-implement it in gaia. It's a sub-module [3] directly in the System app, in theory it's capable of managing any iframe/app's audio channel which created under the System app. The problem we encountered is, we use some audio elements to play sounds in the System app, like the notifi...

Exposing the browser api reference to the internal/certified apps(eg. System app) themselves?
--089e0112c0a00641ac05153e39c8 Content-Type: text/plain; charset=UTF-8 Hi folks, Recently, some of the b2g folks are refactoring the audio channel service in [1], what we do is using the new broswer api [2] to allow/deny the audio channels, then wrap up those logic we used in gecko then re-implement it in gaia. It's a sub-module [3] directly in the System app, in theory it's capable of managing any iframe/app's audio channel which created under the System app. The problem we encountered is, we use some audio elements to play sounds in the System app, like the notifi...

Simple e-mail app. Problem to send email via local smtp server
Hi dear users.This is part of my simple e-mail app (using asp.net 2.0)  MailMessage message = new MailMessage(); message.To.Add(TextBox2.Text); message.From = new MailAddress(TextBox1.Text); message.Subject = TextBox3.Text; message.Body = TextBox4.Text; SmtpClient client = new SmtpClient(); client.Host = "127.0.0.1"; client.Port = 25; client.EnableSsl = false; client.Send(message);   When I click the button I invoke the code above. Application don't run a...

Gaia e-mail app wants fancier support from notifications API/Gaia notifications UI; what do we do?
Currently, notifications as implemented in Gaia have the following characteristics: - we turn on the screen if it is off so the user can see the notifications - we do a toaster notification - we set a status bar notification - we play a ringtone unless the notification volume level is set to 0 - we vibrate if enabled - the UI representation of the notification includes the timestamp of when the notification was generated - the title of the notification is text/plain that is displayed in bold with no supported markup - the body of the notification is text/plain that has no special...

Using XULRunner app as a server-side app
Hi, I'd like to use a XULRunner-based tiny web-browser on a server to automate testing/QA tasks. While server apps basically do not need UI I'm looking for a way to switch it off to save resources. Is there a way to turn off UI or somehow minimize the cost of using it? Thanks for advance, Denis On 11/12/08 18:17, disya2 wrote: > Hi, > > I'd like to use a XULRunner-based tiny web-browser on a server to > automate testing/QA tasks. While server apps basically do not need UI > I'm looking for a way to switch it off to save resources. Is there a >...

How to use Google API on b2g app
Hi all I'm developping RSS reader app on B2G. But, Google Feed API can't work. like below code : ****** start ****** <script type="text/javascript" src="https://www.google.com/jsapi"></script> <script type="text/javascript"> //<![CDATA[ google.load("feeds", "1"); var getRssFeed = function () { var feedControl = new google.feeds.FeedControl(); // loading feed setting feedControl.addFeed('http://any.path.rss.feed/', 'feed'); // output feedControl.draw(document.getElementBy...

How to leave e-mail messages on server
I'm using Mozilla Mail and have 2 computers networked. If I retrieve mail from one then I can't see it on the other. How can I leave the messages on the server so I can get it on both computers? On newsgroups I tell it to only download 50 messages. Every now and then on groups that have lots of posts, I'll see a RE: to a post and I have interest in it. How can I go back and retrieve the messages that weren't downloaded in the 50? L.D. L.D. wrote: > I'm using Mozilla Mail and have 2 computers networked. If I retrieve > mail from one then I can...

App manager and Dev Apps
Hello, I am experiencing problems to debug apps loaded in the App Manager. I don't have this problem if the App is downloaded from the Marketpalce and debugged with the App Manager. Is there a known problem to debug Dev Apps, loaded from a directory in your computer? Thanks, Juanma ...

WebAPI Security Discussion: Open Web App API
Please reply-to dev-webapps@lists.mozilla.org Name of API: Open Web App API Reference: = https://developer.mozilla.org/en/OpenWebApps/The_JavaScript_API Brief purpose of API: The Open Web Apps JavaScript API is a programmatic = interface for installing Web apps and for managing a client-side = collection of Web apps that a user has installed.=20 General Use Cases:=20 * Install an app - navigator.mozApps.install(url, [install_data])=20 * A web page can check if it is installed - navigator.mozApps.getSelf() * Return a list of installed apps installed by this domain - = navigator...

Sending e-mail from app using exchange and WebDAV
My company wishes to send HTML newsletters to an internal address not accessible from outside the company.  I had previously written some code that sends HTML pages via e-mail and that works fine. The problem I think I will have is accessing the internal address.  The internal address is actually a distribution list.  I've been doing some reasearch and it looks like WebDAV may be the way to go.  All I want to do is get into the exchange server to send the mail. Am I on the right path? Thanks!-Craig U-Sports.net - Taking Fantasy Football to School Ok, I have the WebDA...

ASP.NET Membership API via Winforms App?
I have setup a small test site using ASP.NET and Forms Authentication. Works Well. I have also used the ASP.NET Website Admin Tool to manage users and roles. Also cool. However, I would like to control web accounts / users and role allocation through a winforms app (VB.NET), this is so I can integrate it into another desktop application we use here. Does anyone have any idea how to start this off? - I believe I should be looking at  membership API but how to start would be a help. I have looked around and found little on this so far. Any help you can give will be greatly ...

DNS entry for Netware Mail Server (mx record)
I installed the Netware 6 DNS server, and created the name server entry and the www server entry, but I seem to have a problem creating the mail DNS entry, mx record, for groupwise 6.5 mail. Anybody know how to create the entry for the mail server, which is running on the same box as the dns/groupwise server. Thanks John --____LPHMXLZMXOMRLFKSEJCW____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable add it under the "big @" (the record that is usually directly under your = zone, it is a "big @" si...

Revisiting: Web API for DNS lookups? (MX/SRV)
I raised a question about this about 2 years ago at https://groups.google.com/forum/#!topic/mozilla.dev.webapi/NAB_-sfByjI and :gal's opinion at the time was that we should just use a UDP API to meet email's autoconfig DNS needs. I filed https://bugzil.la/745283 to get us a UDP implementation and it is being actively worked with patches up for feedback. Because we didn't have the API and for time reasons, we ended up getting our MX DNS lookup via Thunderbird's autoconfig server over https. Since the UDP implementation is coming along and we need to do some ...

Web resources about - expose a DNS API (for MX, SRV) records, leave it to apps to use the TCP/UDP API, or leave it to servers via HTTP? (for e-mail app) - mozilla.dev.webapi

Resources last updated: 11/22/2015 3:43:09 AM