++ cloned and copy/pasted parts of the bug description from bug 1138808 +++ I'm not sure but, it seems like the permission check for IAC messages isn't complete. The implementation (https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#942) refers to the SystemMessagePermissionsChecker (https://dxr.mozilla.org/mozilla-central/source/dom/messages/SystemMessagePermissionsChecker.jsm#65), but the entry for said message mention no permission. Unless I'm mistaken, that means any app could work with these system messages.

On reflection I think this is actually ok. Connection system messages are sent from here: https://dxr.mozilla.org/mozilla-central/source/dom/apps/InterAppCommService.jsm#445 Part of sending this system message is finding all the apps that are registered to recieve this specific connection, so in this case the system message is not just broadcast to all apps, and rather sent only to the apps which have the appropriate "connections" in their manifest. Looking a bit further up, we see that apps need to be certified to be able to register a connection. https://dxr.mozilla.org/mozilla-central/source/dom/apps/InterAppCommService.jsm#355 Note that the message is sent to specific apps using .sendMessage(...) rather than .broadcastMessage(...)