Infrasec review for new JS social sharing library

RESOLVED FIXED

Status

mozilla.org
Security Assurance: Review Request
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: cmore, Assigned: ygjb)

Tracking

Details

(Whiteboard: [completed secreview][start 07/03/2012][target 07/13/2012])

(Reporter)

Description

6 years ago
Per bug 701759, we have developed a new social sharing JavaScript library that keeps user data private until they decide to share a web page. The code is currently in code review, but will need an Infrasec review. There is not a lot of code to review so it should go pretty quick. Bug 723761 is the technical implementation of the sharing library.

As soon as the code is past code review, I will provide a link to the repo to review.
(Reporter)

Updated

6 years ago
Blocks: 723761
QA Contact: mcoates → jstevensen
Assignee: security-assurance → yboily
Whiteboard: [pending secreview] → [secr:yvan]
Status: NEW → ASSIGNED
(Reporter)

Comment 1

6 years ago
The social sharing library is now code complete and we would like to proceed with the security review.

The demo and code can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=723761#c50

Who is/are the point of contact(s) for this review?

Chris More

Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

Be able to use Facebook, Twitter, and Google+ social sharing widgets without exposing user data until a user action (click).

Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

More info: https://bugzilla.mozilla.org/show_bug.cgi?id=701759


Does this request block another bug? If so, please indicate the bug number

No

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

No extremely urgent as we will release it on some websites when it is ready.

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

No

Are there any portions of the project that interact with 3rd party services?

Yes

Will your application/service collect user data? If so, please describe 

Yes, data will move between the end user and one of the social websites if they are logged in.

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

All good.

Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Keywords: sec-review-needed
Whiteboard: [secr:yvan] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
(Reporter)

Comment 2

5 years ago
Please proceed with the security review of the social sharing widget. 

Demo: http://people.mozilla.org/~pmclanahan/collusion/
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start 07/03/2012][target 07/13/2012]
(Reporter)

Comment 3

5 years ago
Code here: https://github.com/mozilla/SocialShare/
(Assignee)

Comment 4

5 years ago
  
I will continue some additional testing around this, but based on a review of the code and the demo page, it seems pretty good!  Very happy to see this completed!
Keywords: sec-review-complete
Whiteboard: [pending secreview][start 07/03/2012][target 07/13/2012] → [start 07/03/2012][target 07/13/2012]
Flags: sec-review+
this appears to be resolved-fixed but not marked as so
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [start 07/03/2012][target 07/13/2012] → [completed secreivew][start 07/03/2012][target 07/13/2012]
Whiteboard: [completed secreivew][start 07/03/2012][target 07/13/2012] → [completed secreview][start 07/03/2012][target 07/13/2012]
You need to log in before you can comment on or make changes to this bug.