740429 - [Security Review][Action Item]GCLI - AMO prefs

Status: RESOLVED INVALID

(addons.mozilla.org Graveyard :: Add-on Validation, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Who :: Action :: by when
dveditz :: communicate turn-on prefs to AMO team so they can be flagged for review in add-ons that mess with it :: by beta

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

2nd item (one bug instead of 2 since they both involve AMO)
Who :: Action :: by when
dveditz ::communicate command-adding API to AMO team for add-on scanning :: by beta

Comment 2

[Joe Walker [:jwalker]]

My understanding of this bug is that it's about a pref for any commands that allow execution of arbitrary os level commands (i.e. bug 754315).
The command line itself (while currently preffed off with devtools.toolbar.enable) is designed to be preffed on by default.

Comment 3

[David Chan [:dchan]]

I think what we want is to inform Wil and the AMO team to add
devtools.toolbar.enable
to the list of preferences checked by the AMO validator. This adds some protection against an addon hosted on AMO from changing the setting.

Comment 4

[Wil Clouser [:clouserw]]

Jorge is who you want to talk to.  He'll help determine what we can flag and the wording/severity.  Jorge, once you have this let me know what we need to change.

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

Can someone explain what devtools.toolbar.enable does? I don't understand it from the comments.

Comment 6

[Joe Walker [:jwalker]]

It just enables the new developer tools toolbar. I'm not aware of any security sensitive implications of having it turned on by a plugin though

Comment 7

[Joe Walker [:jwalker]]

The developer toolbar does not currently have any prefs that we need to check for in the AMO validator. We should raise a new bug if we do add one, but for now, this bug doesn't track anything real.