Closed
Bug 794187
Opened 12 years ago
Closed 12 years ago
SecReview: want to upload and use JavaScript in WordPress, to display GitHub metrics for our projects, on quality.mozilla.org (QMO)
Categories
(mozilla.org :: Security Assurance: Review Request, task, P2)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: stephend, Assigned: amuntner)
References
()
Details
(Whiteboard: [secreview completed][start 2012-12-10][target 2012-12-10[score:35:Medium])
Who is/are the point of contact(s) for this review? * Myself (Stephen Donner), Bob Silverberg (bsilverberg on #mozwebqa), and Zac Campbell (zac on #mozwebqa) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): * We'd like the ability to use JavaScript in our WordPress instance of QMO (quality.mozilla.org) to display GitHub stats for our automation projects, dynamically Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: * It would potentially use: http://codex.wordpress.org/Using_Javascript, and look like http://bobsilverberg.github.com/jquery-github-widget/example/ Does this request block another bug? If so, please indicate the bug number * No This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? * We'd love to get this soon, but understand that real security reviews are higher priority To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? * There's no quarterly goal yet tied to this Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? * No Are there any portions of the project that interact with 3rd party services? * Yes, pulls in via JSON, like so: [11:36:09.337] GET https://api.github.com/repos/mozilla/qmo-tests?callback=jQuery172011219896164879795_1348598169260&_=1348598169283 [HTTP/1.1 200 OK 853ms] Will your application/service collect user data? If so, please describe * No, I don't believe so, at least not on our end If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Updated•12 years ago
|
Whiteboard: [pending secreview] → [pending secreview][triage needed]
Updated•12 years ago
|
Assignee: nobody → amuntner
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Assignee | ||
Comment 1•12 years ago
|
||
Is there documentation for the JSON request/response? One thing we're interested in making sure of is security around what gets returned and rendered in the user's browser, the API call docs would help a lot. Also, I did some searching and I'm still not certain what api.github.com is, who hosts it, and who controls it to what extent. Could someone explain? Thank you!
Assignee | ||
Comment 2•12 years ago
|
||
Once I understand those things better I'll be able to complete the triage.
Comment 3•12 years ago
|
||
Thanks for the review, Adam. The main page for the GitHub API can be found at http://developer.github.com/v3/. The documentation for the JSON request/responses used in the code can be found at http://developer.github.com/v3/orgs/#get-an-organization and http://developer.github.com/v3/repos/#get. Regarding api.github.com, it is hosted by Github and is described at http://developer.github.com/v3/ as: "All API access is over HTTPS, and accessed from the api.github.com domain (or through yourdomain.com/api/v3/ for enterprise). All data is sent and received as JSON." Please let me know if you have any other questions.
Assignee | ||
Comment 4•12 years ago
|
||
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings Priority: 4 (P2) - Mozilla Initiative Operational: 2 - Normal User: 3 - Major Privacy: 4 - Critical Engineering: 1 - Minor Reputational: 1 - Minor Priority Score: 35
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:35:Medium]
Assignee | ||
Updated•12 years ago
|
Priority: -- → P2
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][score:35:Medium] → [pending secreview][start 2012-12-10][target 2012-12-10[score:35:Medium]
Assignee | ||
Comment 5•12 years ago
|
||
It looks safe to me. Can you loop us back in to take another look once you have it up on the site?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•12 years ago
|
Whiteboard: [pending secreview][start 2012-12-10][target 2012-12-10[score:35:Medium] → [secreview completed][start 2012-12-10][target 2012-12-10[score:35:Medium]
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to Adam Muntner :adamm from comment #5) > It looks safe to me. Can you loop us back in to take another look once you > have it up on the site? Bob, can you look into this, with an authenticated call?
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(bob.silverberg)
Comment 7•11 years ago
|
||
Sorry for the late reply, Stephen. I have looked into this and there is apparently a way do do this via Javascript but I haven't had a chance to try it our yet. I will try to get to it this week.
Flags: needinfo?(bob.silverberg)
You need to log in
before you can comment on or make changes to this bug.
Description
•