Closed Bug 1570738 Opened 5 years ago Closed 5 years ago

Prevent usage of eval() in any context in the Parent Process

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox70 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

data-review.txt
6.12 KB, text/plain
chutten
: data-review+
Details
Bug 1570738 - Record Telemetry if eval() is used in the Parent Process
47 bytes, text/x-phabricator-request
Details | Review

Assuming I did this try run successfully - we don't have any such usage!
https://treeherder.mozilla.org/#/jobs?repo=try&revision=3320cee4a3776e5f9eaf02a3c3470bb0c101ad87

I'm going to update the patch to collect telemetry and send it out to Nightly...

Attached file data-review.txt

This Data Review is basically a copy/paste as the one you just reviewed in Bug 1567623 - except now it's looking at eval usage in the parent process.

Attachment #9082418 - Flags: data-review?(chutten)
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]

Bugbug thinks this bug is a task, but please change it back in case of error.

Type: defect → task
Comment on attachment 9082418 [details]
data-review.txt

( ni?ckerschb to clarify that they're fine with being nominated to permanently monitor this data )

DATA COLLECTION REVIEW RESPONSE:

    Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?

Yes. This collection is Telemetry so is documented in its definitions file [Events.yaml](https://hg.mozilla.org/mozilla-central/file/tip/toolkit/components/telemetry/Events.yaml) and the [Probe Dictionary](https://telemetry.mozilla.org/probe-dictionary/).

    Is there a control mechanism that allows the user to turn the data collection on and off?

Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.

    If the request is for permanent data collection, is there someone who will monitor the data over time?

Yes, ckershub is responsible.

    Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?

Category 1, Technical.

    Is the data collection request for default-on or default-off?

Default on for all channels.

    Does the instrumentation include the addition of any new identifiers?

No.

    Is the data collection covered by the existing Firefox privacy notice?

Yes.

    Does there need to be a check-in in the future to determine whether to renew the data?

No. This collection is permanent.

---
Result: datareview+
Flags: needinfo?(ckerschb)
Attachment #9082418 - Flags: data-review?(chutten) → data-review+

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/428881fad4a8
Record Telemetry if eval() is used in the Parent Process r=ckerschb

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/428881fad4a8

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

(In reply to Chris H-C :chutten from comment #4)

Comment on attachment 9082418 [details]
data-review.txt

( ni?ckerschb to clarify that they're fine with being nominated to
permanently monitor this data )

Yes, that's fine with me. Thanks!

Flags: needinfo?(ckerschb)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: