SecReview: Relax same-origin XHR restrictions for privileged applications

RESOLVED FIXED

Status

mozilla.org
Security Assurance: Review Request
P2
normal
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: curtisk, Assigned: pauljt)

Tracking

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd])

1. Who is/are the point of contact(s) for this review?
2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4. Does this request block another bug? If so, please indicate the bug number
5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
6a. Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
6b. Are there any portions of the project that interact with 3rd party services?
6c. Will your application/service collect user data? If so, please describe 
7. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
8. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
(Assignee)

Updated

6 years ago
Assignee: nobody → ptheriault
Blocks: 754730
(Assignee)

Comment 1

6 years ago
I have reviewed patch v1.1 and I can't see any issues, other that the obvious thing that currently this is controlled by a preference, and does not enforce that only a trusted app can use this functionality. That is blocked on an actual implementation of trusted apps, so I will leave this review open until that is done.
(Assignee)

Updated

6 years ago
Depends on: 756729
(Assignee)

Updated

6 years ago
Priority: -- → P2
(Assignee)

Updated

6 years ago
Depends on: 781331
No longer depends on: 756729
please score this one and give some dates, also are we going to do a team review on this one?
Flags: needinfo?(ptheriault)
Whiteboard: [pending secreview][needs info] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
(Assignee)

Comment 3

5 years ago
This is already complete - I have reviewed with dveditz, and that was just pending the permission model be finalized, which it now is (for future reference, this will have its own permission 'systemXHR' for Firefox OS v1, ie with wont be combined with the TCP socket API). It will probably stay seperate unless a good reason for merging the two arises. (see bug 783716)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.