Did this feature go through security review when it first landed? If not, it'd probably be a good idea to have it do that regardless now.
(In reply to comment #1) > Did this feature go through security review when it first landed? If not, it'd > probably be a good idea to have it do that regardless now. It's not landed yet.
My current thinking is that it would be good if we can have the command line execute with chrome privs, protecting it from page resources, rather than the other way around (i.e. executing with page privs, Sandboxed from chome resources). Not sure if that's possible.
Jesse - Are you best person to talk to about getting this command line feature reviewed? Thanks,
curtisk has been organizing security reviews lately.
Review TBD added to sec team review radar https://wiki.mozilla.org/Security/Radar/Active#Firefox:_In_Progress
Bug 664693 tracks the documenting of the commands.
Bug 664696 tracks the reviewing of the commands by mrbkap The notes from the etherpad have gone - will they be published anywhere? I'd like to close this bug now - any objections?
mrbkap is supposed to review the wrapper implementation security team will review the list of commands Notes are posted here: https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/GCLI
I've added the bugs I raised to the wiki page - thanks for posting that. I'll close this bug tomorrow unless anyone complains. Many thanks.
Marking verified because there is no UI proof that the bug is fixed. The proof is in the comments above.