Closed Bug 1198071 Opened 9 years ago Closed 9 years ago

Remove session_status support from about:accounts.

Categories

(Firefox :: Firefox Accounts, defect, P1)

Product:
Firefox
Component:
Firefox Accounts
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 43
Iteration:
43.2 - Sep 7
Tracking Flags:
Tracking Status
firefox43 --- fixed

People

(Reporter: markh, Assigned: markh)

Details

Attachments

(1 file)

0001-Bug-1198071-remove-support-for-session_status-server.patch
2.23 KB, patch
rfkelly
: review+
zaach
: review+
Details | Diff | Splinter Review 
The content server used to send a session_status request, which would cause Firefox to send all account data back to the content server. This has the effect of sending data that should never leave the device back to the server, and the server no longer makes that request (https://github.com/mozilla/fxa-content-server/commit/8f414c4a0b9cc70d2c243897c102368d79021be2) - so we should just remove that support to ensure it can't be abused in some edge-case we haven't thought of yet.
Flags: firefox-backlog+
Sounds OK to me.  We hope to bring back similar functionality at some point in the future, to help sync logged-in state between the site and the device.  But there's no point leaving a potential abuse vector sitting around unmaintained in the meantime.
(In reply to Ryan Kelly [:rfkelly] from comment #1)
> Sounds OK to me.  We hope to bring back similar functionality at some point
> in the future, to help sync logged-in state between the site and the device.

Yeah - but I assume we'd still limit the data being sent to, eg, the uid. IIUC, currently you get kB (and everything else - probably including oauth tokens etc too.)

> But there's no point leaving a potential abuse vector sitting around
> unmaintained in the meantime.

Sounds good - and I think you may as well review it too ;)
Assignee: nobody → markh
Status: NEW → ASSIGNED
Attachment #8652109 - Flags: review?(rfkelly)
Comment on attachment 8652109 [details] [diff] [review]
0001-Bug-1198071-remove-support-for-session_status-server.patch

Review of attachment 8652109 [details] [diff] [review]:
-----------------------------------------------------------------

> I assume we'd still limit the data being sent to, eg, the uid. IIUC,
> currently you get kB (and everything else - probably including oauth tokens etc too.

IMO none of those things are off the table in future, but we'll have to be very careful and deliberate about any of it.

> and I think you may as well review it too 

LGTM, but I'm going to defer final r? on this to Zach who may have had plans to re-use some of this for what I described above.
Attachment #8652109 - Flags: review?(zack.carter)
Attachment #8652109 - Flags: review?(rfkelly)
Attachment #8652109 - Flags: review+
Attachment #8652109 - Flags: review?(zack.carter) → review+
https://hg.mozilla.org/mozilla-central/rev/86aaa9aafca2
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Iteration: --- → 43.2 - Sep 7
Product: Core → Firefox
Target Milestone: mozilla43 → Firefox 43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: