Closed
Bug 642726
Opened 13 years ago
Closed 13 years ago
Client security review
Categories
(Mozilla Labs :: F1, defect)
Mozilla Labs
F1
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: philikon, Unassigned)
References
(Depends on 1 open bug)
Details
Need to get security review for the addon, the JS web client and particularly their interaction.
Reporter | ||
Comment 1•13 years ago
|
||
Johnny suggested I'd CC Jonas, bz and Blake on this, so here we go: The Services team has been asked to integrate the "F1" add-on into Firefox. Target release is Firefox 5 which is to branch in a matter of weeks. Under the hood F1 is three things: * a server that takes incoming share requests and performs them on the respective service (twitter, facebook, etc.). This component is outside the scope of this bug and will receive security review by the infrasec team, AFIUI. * a web client that drives the share UI. It consists of static HTML and JS pages served off the web. It stores state (account profiles and OAuth tokens) right now using localStorage, though we're planning to change that (bug 642660). It communicates with the Firefox chrome code using postMessage. * a small bit of Firefox integration code that loads the web client in an iframe. It pushes information like the URL, title, thumbnail, etc. into the web client using postMessage. The objective of this bug is to vet the interaction between the two client bits: the web client and the surrounding Firefox chrome code. Their shared "API" has been documented here: https://github.com/mozilla/f1/wiki/Addon-Web-Data-API%3A-v0. As described in that document, there are plans to refactor some details, but the overall design of using postMessage to communicate between chrome and web level code will remain.
Reporter | ||
Comment 2•13 years ago
|
||
This bug should have an owner. Assigning it to dchan since he's been doing lots of reviewing already.
Assignee: nobody → dchan
Comment 3•13 years ago
|
||
To my understanding there is an openwebapps security review August 26 @ 1:00, which will includes review for F1 based on webapps.
Assignee: dchan → nobody
Component: Share: Firefox Client → F1
Product: Mozilla Services → Mozilla Labs
QA Contact: share-fx-client → f1
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Comment 5•11 years ago
|
||
f1 is no longer an active project. delete these messages by searching for: [closing_f1_project_bugs]
Resolution: DUPLICATE → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•