Closed Bug 688281 Opened 8 years ago Closed 8 years ago

Port bug 660684

Categories

(SeaMonkey :: Sync UI, defect)

defect
Not set

Tracking

(seamonkey2.4 wontfix, seamonkey2.5 fixed, seamonkey2.6 fixed)

RESOLVED FIXED
seamonkey2.6
Tracking Status
seamonkey2.4 --- wontfix
seamonkey2.5 --- fixed
seamonkey2.6 --- fixed

People

(Reporter: InvisibleSmiley, Assigned: InvisibleSmiley)

Details

(Whiteboard: [sg:moderate])

Attachments

(1 file)

Not much to say here since bug 660684 which is to be ported here is still closed. Meanwhile Callek gave me access to that bug but it doesn't contain any real reasoning but points to yet another closed bug 643463.

Callek, I hope you can make sense of this and make a final decision whether this is needed at all (otherwise just FF compat). Consult whoever you feel necessary, and if you add confidential info here, feel free to raise the security level.

This was originally fixed for FF with the following changeset:
http://hg.mozilla.org/mozilla-central/rev/89822eff0816
[and no, we don't need the Content Type header since, unlike FF, we actually save the file as .xhtml]
Attachment #561567 - Flags: review?(bugspam.Callek)
Comment on attachment 561567 [details] [diff] [review]
patch [Checkin: comments 3 and 6]

I would argue explicitly setting a meta for content-type would be useful (for utf-8 charset here) but that can be another bug.
Attachment #561567 - Flags: review?(bugspam.Callek) → review+
Marking this bug sec-group so I can tell you why, and because the other bug this ports is still hidden...

Basically there exists the case where Machine Search Services, (Such as Google Desktop Search) can find the sync key, even with unrelated searches based on text in our page here. This can allow other users to get data from sync even if they would otherwise not have access to the users profile, if the sync key is saved in a public place.

This meta directive helps to alleviate this problem.
Group: core-security
Assignee: nobody → jh
Comment on attachment 561567 [details] [diff] [review]
patch [Checkin: comments 3 and 6]

http://hg.mozilla.org/comm-central/rev/6fd843ebdfcc
Attachment #561567 - Attachment description: patch → patch [Checkin: comment 3]
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.6
Comment on attachment 561567 [details] [diff] [review]
patch [Checkin: comments 3 and 6]

Maybe we should even have this on the branches?
Attachment #561567 - Flags: approval-comm-beta?
Attachment #561567 - Flags: approval-comm-aurora?
No longer blocks: sync2sm
Attachment #561567 - Flags: approval-comm-beta?
Attachment #561567 - Flags: approval-comm-beta+
Attachment #561567 - Flags: approval-comm-aurora?
Attachment #561567 - Flags: approval-comm-aurora+
Comment on attachment 561567 [details] [diff] [review]
patch [Checkin: comments 3 and 6]

Note beta+ approval is NOT for Gecko 7, as it is too late for that, just a matter of "ok to land on Gecko 8 wherever it is when you get here"
Comment on attachment 561567 [details] [diff] [review]
patch [Checkin: comments 3 and 6]

http://hg.mozilla.org/releases/comm-aurora/rev/f22d01143155
Attachment #561567 - Attachment description: patch [Checkin: comment 3] → patch [Checkin: comments 3 and 6]
Attachment #561567 - Flags: approval-comm-beta+
Whiteboard: [sg:moderate]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.