Requesting a security review of the Intersection Observer API, as tracked in Bug 1321865. Spec: https://wicg.github.io/IntersectionObserver/ Concerns raised from bz via dev-platform: > Has there been a security review? The reason I ask is that the definition at > https://wicg.github.io/IntersectionObserver/#intersectionobserver-intersection- > root means the intersection root can be in a different-origin document, and then > there are operations that use it, so it would be good to carefully check for > cross-origin information leaks. Do we have good tests for the various cross- > origin scenarios? I do see some cross-origin testing in > dom/base/test/test_intersectionobservers.html, which is good.
This should use the pi-request process if you want to get into the real security-review queue, but hopefully this is a more useful component.
Component: Security → Security: Review Requests
I'm cleaning up the security review requests component as my team is going to start using it for our reviews. As far as I can tell this feature landed in 55. Does it still need the testing requested in comment 0? I assume it had security review as part of the normal review process, and that there isn't anything to do here? Just wanted to check before I close this. (Im flagging you Jet, as it seems Tobias' bugzilla account is disabled)
I think we're all set on this feature. We've fuzzed it, and have also fixed a number of issues found after shipping. The feature has cross-origin tests in the tree, and you're welcome to review those for completeness, in case you spot anything we missed: https://searchfox.org/mozilla-central/source/dom/base/test/test_intersectionobservers.html#975 https://searchfox.org/mozilla-central/source/testing/web-platform/tests/intersection-observer/cross-origin-iframe.html
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.