Closed Bug 1038319 Opened 11 years ago Closed 8 years ago

SecReview: Appmaker

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: michiel, Assigned: ygjb)

Details

(Whiteboard: [pending secreview] [appmaker])

>> Who is/are the point of contact(s) for this review? me (Pomax) >> Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.)] Appmaker produces and serves (on s3) publicly available apps as bundles of html by compiling lists of web components through a UI. The user is allowed to tweak attributes on these components to customize their apps as well as add custom components that they wrote themselves with active javascript. >> Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: current "live" site: apps.webmaker.org github repository: https://github.com/mozilla-appmaker/appmaker documentation wiki: https://github.com/mozilla-appmaker/appmaker/wiki >> Does this request block another bug? If so, please indicate the bug number not as far as I'm aware >> This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Earliest convenience. >> To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? Yes, it's part of webmaker/MoFo goals to launch Appmaker. >> Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Possibly. It affects webmaker.org, which isn't a product in the sense that Firefox and Thunderbird are, but a current Mozilla focus. >> Are there any portions of the project that interact with 3rd party services? AWS-S3 data storage, firebase data storage, heroku (for develop/instance testing), and custom element loading from arbitrary URLs, although for scoping purposes we only support github's gh-pages at the moment. >> Will your application/service collect user data? If so, please describe All user data is handled by webmaker.org's user system; Appmaker does not do any additional user data collection of its own. >> If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): Appmaker, like other webmaker tools, allows used to build active content, so all the security issues typically associated with running user generated live content will apply here. There is currently no content isolation like in (for instance) Thimble, so user generated javascript may be able to interact with the user's session. There are no components currently defined that (intentionally) allow arbitrary code to run, but custom components written by users might be a security issue. >> Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. The earliest convenient date, but public announcing of Appmaker will be at the beginning of August. It'll be good to have Robert Richter and Simon Wex as invitees on this review.
Assigning to yvan for an appsec resource to review
Assignee: nobody → yboily
Just wondering if there was any progress on this? Would be good to have your thoughts and advice soon.
this product has been retired.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.