Closed Bug 748187 Opened 10 years ago Closed 9 years ago

[Security Review]Browser API

Categories

(mozilla.org :: Security Assurance, task, P1)

x86
macOS

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: pauljt, Assigned: pauljt)

References

()

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy])

B2G contains a browser API so that a browser app can be developed (ie a browser written in HTML/JS/CSS). An API is needed to support this, and this bug is for tracking the security review of this API.

See link for background
Assignee: nobody → ptheriault
Status: NEW → ASSIGNED
Whiteboard: [secr:ptheriault] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Summary: Security Review for Browser API → Security Review for B2G Web Telephony
Summary: Security Review for B2G Web Telephony → [Security Review]Browser API
Duplicate of this bug: 749360
Duplicate of this bug: 749374
Priority: -- → P1
We need to revisit this review now that Browser API is more complete now, and that multi-process has landed (?).
(In reply to Paul Theriault [:pauljt] from comment #4)
> We need to revisit this review now that Browser API is more complete now,
> and that multi-process has landed (?).

Please file a new bug.

But honestly, I don't think a review is a particularly good use of time at this point.  This API lets the embedder totally own the generated content, so it's going to be trusted- and certified-only.  Given that this API will not be exposed to unreviewed content and no actionable items came out of the first review, and given the incredibly tight timeframe we're under, I think Dale, Ben, and my time would be better spent elsewhere.

If you disagree, let's discuss this in the new security review bug.
This was more a note to self (and david chan) - just trying to keep status of secreview bugs up to date. I don't imagine a formal review, just completing the one we already started now that browser API is closer to being finished (although I know there is a still a lot of work to do).
(In reply to Justin Lebar [:jlebar] from comment #5)
> (In reply to Paul Theriault [:pauljt] from comment #4)
> > We need to revisit this review now that Browser API is more complete now,
> > and that multi-process has landed (?).
> 
> Please file a new bug.
> 
> But honestly, I don't think a review is a particularly good use of time at
> this point.  This API lets the embedder totally own the generated content,
> so it's going to be trusted- and certified-only.  Given that this API will
> not be exposed to unreviewed content and no actionable items came out of the
> first review, and given the incredibly tight timeframe we're under, I think
> Dale, Ben, and my time would be better spent elsewhere.
> 
> If you disagree, let's discuss this in the new security review bug.

Created a new security bug (bug 830225) to discuss risks of exposing this API to Privileged Apps, and closing thus closing this bug out.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.