Status

mozilla.org
Security Assurance: Review Request
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: curtisk, Assigned: curtisk)

Tracking

Details

(URL)

Who is/are the point of contact(s) for this review?
    
Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
    
Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
    
Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

Are there any portions of the project that interact with 3rd party services?

Will your application/service collect user data? If so, please describe 

If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

Comment 1

6 years ago
hello. this is my first review request! I'll try my best
We have changed the TB default start page to replace the content. 
New page has links to SUMO, AMO, TB Blog, and Contribute Mozilla page

Link is http://momodev.org/en-US/thunderbird/release/start/index2.html 

Due date is asap as this project is already 3 weeks behind schedule.
thanks.
If you could please reply to comment 0 and answer the questions that would be very helpful so we can determine the proper steps to take next.
(In reply to Curtis Koenig [:curtisk] from comment #0)
> Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):

This "feature" is a change to the start page that is entirely hosted on mozilla.org's web server.

> Does this feature or code change affect Firefox, Thunderbird or any product
> or service the Mozilla ships to end users?

No.

> Are there any portions of the project that interact with 3rd party services?

No.

> Will your application/service collect user data? If so, please describe 

There is no extension beyond the previous start page.

> If you feel something is missing here or you would like to provide other
> kind of feedback, feel free to do so here (no limits on size):

This is a web site only change, that we tracked via a feature page. I don't think any separate review is necessary.
I'm sort of confused why this bug was even filed? As Mark said, there's no need for security review here, this feature doesn't involve user data and does not interact with users or external services in any way(account login, API usage, etc). It's purely content published on the website.
(In reply to Andrei Hajdukewycz [:sancus] from comment #4)
> I'm sort of confused why this bug was even filed? As Mark said, there's no
> need for security review here, this feature doesn't involve user data and
> does not interact with users or external services in any way(account login,
> API usage, etc). It's purely content published on the website.

The bug was filed because the feature page was flagged as sec-review-needed. Whenever a feature page adds a release train/vehicle the security team triages them and decides if we feel there could be a security concern. This bug was filled to track progress on completing that task. The first part of that process is to gather more information to make a final determination on whether action is needed or not and if so what kind of action.

With the added information above (that is not on the feature page wiki) we can triage this item one more time and determine our next steps. 

Thanks for working with us and providing information that will assist us in making the best determination on actions to protect our users.
triaged to not need a sec-review
Assignee: nobody → curtisk
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview]
(In reply to Mark Banner (:standard8) from comment #3)
> This is a web site only change, that we tracked via a feature page. I don't
> think any separate review is necessary.

From the feature page we thought it could be some sort of client-processed snippets the way Firefox does it's about:home tip of the day. Sorry for the confusion.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.