Closed Bug 1252478 Opened 8 years ago Closed 8 years ago

Security Review for making AMO installs "one-click"

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: shell, Unassigned)

References

Details

Bug to track getting a review/discussion about making security bugs "one click"
Blocks: 1153226
resolving as the discussion went well on the UX - next step is to take the areas we want to make sure are secure and do Process flow.

Notes from security discussion.....
UX: https://invis.io/BX69Y1HAC & https://docs.google.com/document/d/1w_PqkIEk-36dyGBBPO_QaHJeL9-I1Oo1-QwcBHOew9s/edit# Under the "Mar 1st" header

From security review - main concerns:
~make sure not embedded in another site to not worry about click-jacking.  though we are embedded into oursite - so need to make sure we're using the xframes.
~Only applies for Reviewed add-ons - would need flag to non-reviewed to add extra prompts.  discovery page not an issue - but on AMO there are both types… so how to handle… P2.5 Error if non-reviewed shows up on Discovery page
~if someone navigated to zippy from AMO - need UI from site coming from rather than UI from site serving from. (could make sure doing through javascript API
~make sure web sites use SRI, CSP, and any other secure functions
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.