Closed Bug 706688 Opened 14 years ago Closed 14 years ago

[infrasec] Please review two WordPress plugins for use on The Den and other blogs

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: craigcook, Unassigned)

Details

(Whiteboard: [target Q1])

The Den blog (http://blog.mozilla.com/theden) wants to make use of two new plugins: Wickett Twitter Widget (code is at http://svn.mozilla.org/projects/blog.mozilla.com/trunk/wp-content/plugins/wickett-twitter-widget/) will fetch recent tweets to display in a sidebar. Twitter Facebook Social Share (code at http://svn.mozilla.org/projects/blog.mozilla.com/trunk/wp-content/plugins/twitter-facebook-google-plusone-share/) adds Twitter, Facebook, and Google+ share links for each post. They do send and receive data from third party sites, but it's all pretty standard API stuff so hopefully they're doing it in a secure way. If infrasec can review them at your earliest convenience we can activate them on The Den, as well as making them available to other network blogs.
Whiteboard: [pending secreview]
If this is in the review queue, can we get a target date? It's not especially urgent right now, we just want to have an idea of where it falls on the schedule so we can plan accordingly.
If its not blocking a q4 goal then we'd like to target it for January. There are plenty of goal related items that need our attention in the last few weeks of this quarter.
Whiteboard: [pending secreview] → [pending secreview][target Q1]
(In reply to Michael Coates [:mcoates] from comment #2) > If its not blocking a q4 goal then we'd like to target it for January. > There are plenty of goal related items that need our attention in the last > few weeks of this quarter. Hi Michael, Technically, this is a leftover from Q3. If it is at all possible, I'd like to get this project closed out in 2011 That said, if there are high-priority items for the rest of Q4 - can we do this in early January? I'd like to have it no later than January 6. Can you please advise if that delivery date that is achievable for your team, so I can communicate back to user engagement as to when this Q3 project will be complete. If not, can you please provide a date? Thank you, Carmen
Craig, Quick question about these plugins, do these plugins cause requests to be sent to facebook/twitter/etc without any interaction from the user? In other words, when a user browses to a page using these plugins are requests automatically sent to third party sites before the user clicks on anything?
(In reply to Michael Coates [:mcoates] from comment #4) > Quick question about these plugins, do these plugins cause requests to be > sent to facebook/twitter/etc without any interaction from the user? In other > words, when a user browses to a page using these plugins are requests > automatically sent to third party sites before the user clicks on anything? Yes, they do GET requests to fetch CSS/JS/JSON/images from external sites on page load. If it's any help, you can see them in action at http://wpstage.focalcurve.com/theden/ and see the requests in firebug (we don't have any other stage server for The Den right now, that's just my private server).
Ok, we'll definitely need to adjust that. Its actually a user privacy issue since these requests to facebook/twitter send the user's cookies for those sites. This essentially lets fb, twitter, etc remotely track every website the user views. We've captured this guidance in our secure coding guidelines too: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Connecting_with_Twitter.2C_Facebook.2C_etc Take a look at how firefoxlive implemented these features - http://www.mozilla.org/en-US/firefoxlive/ The main goal is that no requests can be sent to the third party sites unless the user explicitly clicks on a share button
OK, that certainly rules out Twitter Facebook Social Share. I can build the sharing buttons into the theme easily, though they won't be able to show a count of how many times an article has been shared (which was in the original design). I'm sure we can live without that. What about displaying recent tweets? That has to fetch content from Twitter when the page loads, but is there a safe way to do it?
Let me play devil's advocate for a moment, may I? So, this is blog is about content, like we've never done content before. Seeing how popular an article is not only encourages more shares, but shows other users how useful content is to them as well. I'd really, really like to see if we can figure out a way to show a count of how many Facebook likes and Twitter Tweets have already been posted. It really is a fairly standard encounter for users. Is there something we could do that we haven't thought of? (asks the non-coder person) Does that also affect the Facebook widget on the side? The main goal of that is someone being able to LIKE the page within the content blog, without having to add a click to Facebook. Again, it's a crucial step of eliminating clicks.
(In reply to Carmen from comment #8) > Let me play devil's advocate for a moment, may I? So, this is blog is about > content, like we've never done content before. Seeing how popular an article > is not only encourages more shares, but shows other users how useful content > is to them as well. > > I'd really, really like to see if we can figure out a way to show a count of > how many Facebook likes and Twitter Tweets have already been posted. I don't believe this is possible in a privacy compliant way. You may want to ask this question in bug 701759. > It > really is a fairly standard encounter for users. Is there something we could > do that we haven't thought of? (asks the non-coder person) Great question. Other sites have made the tradeoff to eliminate displaying number of "likes" in order to achieve a facebook/twitter button that respects user privacy and is inline with our privacy policies. It would be great if facebook would provide an option to perform these operations without sacrificing user privacy. However, that hasn't been the case so far. > > Does that also affect the Facebook widget on the side? The main goal of that > is someone being able to LIKE the page within the content blog, without > having to add a click to Facebook. Again, it's a crucial step of eliminating > clicks. I'm not sure which facebook widget you're referring to. Do you have an example page where one is running? We are trying to develop reusable code that provides the best experience with facebook and twitter. You can follow the progress in bug 701759. However, many sites have created their own buttons since our reusable code is not yet ready.
Mi Michael, There was another question about fetching the recent Tweets for the Twitter widget. So, we want to pull the last tweet from the @Firefox account into the page. Can we do that? Can you address that for us? Thanks
(In reply to Carmen from comment #10) > Mi Michael, > > There was another question about fetching the recent Tweets for the Twitter > widget. So, we want to pull the last tweet from the @Firefox account into > the page. Can we do that? > > Can you address that for us? > > Thanks If you do this as a server side call within your application it should work fine (for example as an API call) However, if you perform this via JavaScript then it will run in the user's browser and send the user's cookies - which would violate our privacy goals. I realize this is jumping into the details, but hopefully it helps answer your question. Let me know if you want to discuss further.
Since neither of the two plugins I initially opened this bug for will pass muster, I'm gonna call this bug done. We've found a good workaround for the sharing buttons and we'll work on fetching tweets separately, no reason to keep this bug open any longer. Thanks!
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Keywords: sec-review-needed
Whiteboard: [pending secreview][target Q1] → [target Q1]
You need to log in before you can comment on or make changes to this bug.