Closed Bug 642726 Opened 13 years ago Closed 13 years ago

Client security review

Categories

(Mozilla Labs :: F1, defect)

Product:
Mozilla Labs
Component:
F1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: philikon, Unassigned)

References

(Depends on 1 open bug)

Details

Need to get security review for the addon, the JS web client and particularly their interaction.
Johnny suggested I'd CC Jonas, bz and Blake on this, so here we go:  The Services team has been asked to integrate the "F1" add-on into Firefox. Target release is Firefox 5 which is to branch in a matter of weeks.

Under the hood F1 is three things:
* a server that takes incoming share requests and performs them on the respective service (twitter, facebook, etc.). This component is outside the scope of this bug and will receive security review by the infrasec team, AFIUI.
* a web client that drives the share UI. It consists of static HTML and JS pages served off the web. It stores state (account profiles and OAuth tokens) right now using localStorage, though we're planning to change that (bug 642660). It communicates with the Firefox chrome code using postMessage.
* a small bit of Firefox integration code that loads the web client in an iframe. It pushes information like the URL, title, thumbnail, etc. into the web client using postMessage.

The objective of this bug is to vet the interaction between the two client bits: the web client and the surrounding Firefox chrome code. Their shared "API" has been documented here: https://github.com/mozilla/f1/wiki/Addon-Web-Data-API%3A-v0. As described in that document, there are plans to refactor some details, but the overall design of using postMessage to communicate between chrome and web level code will remain.
Depends on: 647333
Depends on: 643005
Depends on: 650201
This bug should have an owner. Assigning it to dchan since he's been doing lots of reviewing already.
Assignee: nobody → dchan
Depends on: 654812
To my understanding there is an openwebapps security review August 26 @ 1:00, which will includes review for F1 based on webapps.
Assignee: dchan → nobody
Component: Share: Firefox Client → F1
Product: Mozilla Services → Mozilla Labs
QA Contact: share-fx-client → f1
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
f1 is no longer an active project.  delete these messages by searching for: [closing_f1_project_bugs]
Resolution: DUPLICATE → INVALID
You need to log in before you can comment on or make changes to this bug.