Security review of Intersection Observer API




2 years ago
Last year


(Reporter: tschneider, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: audit)

Requesting a security review of the Intersection Observer API, as tracked in Bug 1321865.


Concerns raised from bz via dev-platform:

> Has there been a security review?  The reason I ask is that the definition at
> root means the intersection root can be in a different-origin document, and then 
> there are operations that use it, so it would be good to carefully check for 
> cross-origin information leaks.  Do we have good tests for the various cross-
> origin scenarios?  I do see some cross-origin testing in 
> dom/base/test/test_intersectionobservers.html, which is good.


2 years ago
Blocks: 1321865
This should use the pi-request process if you want to get into the real security-review queue, but hopefully this is a more useful component.
Component: Security → Security: Review Requests
I'm cleaning up the security review requests component as my team is going to start using it for our reviews. As far as I can tell this feature landed in 55. Does it still need the testing requested in comment 0? I assume it had security review as part of the normal review process, and that there isn't anything to do here? Just wanted to check before I close this. (Im flagging you Jet, as it seems Tobias' bugzilla account is disabled)
Flags: needinfo?(bugs)
Whiteboard: audit
I think we're all set on this feature. We've fuzzed it, and have also fixed a number of issues found after shipping. The feature has cross-origin tests in the tree, and you're welcome to review those for completeness, in case you spot anything we missed:
Flags: needinfo?(bugs)
Thanks Jet.
Closed: Last year
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.