1492754 - Security testing for enhancements to Privacy Panel, Cookie Restrictions, and FastBlock

Status: RESOLVED FIXED

(Firefox Graveyard :: Security: Review Requests, enhancement, P1)

Description

[Paul Theriault [:pauljt] (no longer reading bugmail)]

These are three seperate features, so we might be three seperate bugs, but one will do for now while we figure out what needs testing.

Comment 2

[Stephanie Ouillon [:arroway] (needinfo me)]

FastBlock is being delayed, so is out of scope for this testing.

Meta bug for cookie restrictions is bug 1473978
Meta bug for changes of the Privacy Panel is bug 1461743

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Steph - is there any security testing to do here? Looking at the privacy panel, we are just adding some changes to privacy settings in about:preferences. I assume QA will cover off that the feature works as intended.

However for cookie restrictions, I see bugs like bug 1231543, which relates to tracking protection not working on data URIs. Maybe we could perform some testing of edge cases to ensure that cookie restrictions behave as intended. Maybe even develop some kinda of automated/semi-automated tests for this. I'll send an email to folks to see if this would be worthwhile.

Comment 4

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Actually I'll let you email Steph, since it occurs to me that maybe you already asked the question. But basically I was going to email Ehsan, Tanvi & Francois and ask them if they though it was worthwhile to invest time in performing security testing around various edge cases to check that cookie restrictions are working as intended. I was thinking of testing common sources of issues like, redirects, non-http URIs, web extension etc. It doesn't seem high risk to me, and I would think that for the most part automated tests would (should?) cover this, but the presence of bug 1231543 makes me wonder.