Closed
Bug 1198071
Opened 9 years ago
Closed 9 years ago
Remove session_status support from about:accounts.
Categories
(Firefox :: Firefox Accounts, defect, P1)
Firefox
Firefox Accounts
Tracking
()
Tracking | Status | |
---|---|---|
firefox43 | --- | fixed |
People
(Reporter: markh, Assigned: markh)
Details
Attachments
(1 file)
2.23 KB,
patch
|
rfkelly
:
review+
zaach
:
review+
|
Details | Diff | Splinter Review |
The content server used to send a session_status request, which would cause Firefox to send all account data back to the content server. This has the effect of sending data that should never leave the device back to the server, and the server no longer makes that request (https://github.com/mozilla/fxa-content-server/commit/8f414c4a0b9cc70d2c243897c102368d79021be2) - so we should just remove that support to ensure it can't be abused in some edge-case we haven't thought of yet.
Flags: firefox-backlog+
Comment 1•9 years ago
|
||
Sounds OK to me. We hope to bring back similar functionality at some point in the future, to help sync logged-in state between the site and the device. But there's no point leaving a potential abuse vector sitting around unmaintained in the meantime.
Assignee | ||
Comment 2•9 years ago
|
||
(In reply to Ryan Kelly [:rfkelly] from comment #1) > Sounds OK to me. We hope to bring back similar functionality at some point > in the future, to help sync logged-in state between the site and the device. Yeah - but I assume we'd still limit the data being sent to, eg, the uid. IIUC, currently you get kB (and everything else - probably including oauth tokens etc too.) > But there's no point leaving a potential abuse vector sitting around > unmaintained in the meantime. Sounds good - and I think you may as well review it too ;)
Comment 3•9 years ago
|
||
Comment on attachment 8652109 [details] [diff] [review] 0001-Bug-1198071-remove-support-for-session_status-server.patch Review of attachment 8652109 [details] [diff] [review]: ----------------------------------------------------------------- > I assume we'd still limit the data being sent to, eg, the uid. IIUC, > currently you get kB (and everything else - probably including oauth tokens etc too. IMO none of those things are off the table in future, but we'll have to be very careful and deliberate about any of it. > and I think you may as well review it too LGTM, but I'm going to defer final r? on this to Zach who may have had plans to re-use some of this for what I described above.
Attachment #8652109 -
Flags: review?(zack.carter)
Attachment #8652109 -
Flags: review?(rfkelly)
Attachment #8652109 -
Flags: review+
Updated•9 years ago
|
Attachment #8652109 -
Flags: review?(zack.carter) → review+
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/86aaa9aafca2
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Updated•9 years ago
|
Iteration: --- → 43.2 - Sep 7
Updated•7 years ago
|
Product: Core → Firefox
Updated•7 years ago
|
Target Milestone: mozilla43 → Firefox 43
You need to log in
before you can comment on or make changes to this bug.
Description
•