Security review of Intersection Observer API

RESOLVED WONTFIX

Status

()

enhancement
RESOLVED WONTFIX
2 years ago
Last year

People

(Reporter: tschneider, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: audit)

Requesting a security review of the Intersection Observer API, as tracked in Bug 1321865.

Spec: https://wicg.github.io/IntersectionObserver/

Concerns raised from bz via dev-platform:

> Has there been a security review?  The reason I ask is that the definition at
> https://wicg.github.io/IntersectionObserver/#intersectionobserver-intersection-
> root means the intersection root can be in a different-origin document, and then 
> there are operations that use it, so it would be good to carefully check for 
> cross-origin information leaks.  Do we have good tests for the various cross-
> origin scenarios?  I do see some cross-origin testing in 
> dom/base/test/test_intersectionobservers.html, which is good.
Reporter

Updated

2 years ago
Blocks: 1321865
This should use the pi-request process if you want to get into the real security-review queue, but hopefully this is a more useful component.
Component: Security → Security: Review Requests
I'm cleaning up the security review requests component as my team is going to start using it for our reviews. As far as I can tell this feature landed in 55. Does it still need the testing requested in comment 0? I assume it had security review as part of the normal review process, and that there isn't anything to do here? Just wanted to check before I close this. (Im flagging you Jet, as it seems Tobias' bugzilla account is disabled)
Flags: needinfo?(bugs)
Whiteboard: audit
I think we're all set on this feature. We've fuzzed it, and have also fixed a number of issues found after shipping. The feature has cross-origin tests in the tree, and you're welcome to review those for completeness, in case you spot anything we missed:

https://searchfox.org/mozilla-central/source/dom/base/test/test_intersectionobservers.html#975
https://searchfox.org/mozilla-central/source/testing/web-platform/tests/intersection-observer/cross-origin-iframe.html
Flags: needinfo?(bugs)
Thanks Jet.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.