Closed Bug 749806 Opened 8 years ago Closed 7 years ago
[Security Review] Notifications Back End
We would like a security review for the Notifications Project back end. This portion of the product deals with collection, temporary storage, and routing of short notification messages from a third party site to a user. A separate security review for the front end service will be scheduled at a later date, once more of that code is finalized. Who is/are the point of contact(s) for this review? JR Conlin (firstname.lastname@example.org) Jeff Balogh (email@example.com) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Description: Notifications provides a semi-anonymous method for a third party site or service to communicate a short message with a customer without the user needing to keep a page open with the site. Messages can be received and processed by any Notifications capable device or browser. Sites post to a URL that is then routed to a user and then picked up via whatever the user has as their active agent. Use Cases: At work, a user visits a surf report site that offers surf condition notifications. They click a link requesting a notification when surf is perfect. Later, while at home, they receive a notification alert on their browser informing them that Surf's Up. (No identifying information needs to be supplied to the site.) A user visits a mail site and requests notifications when high priority mail arrives. (Site associates notification URL with a user.) A user has requested to be notified of pending moves in a Game App. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: https://wiki.mozilla.org/Services/Notifications https://wiki.mozilla.org/Services/Notifications/Push Does this request block another bug? If so, please indicate the bug number N/A This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? This product is not scheduled for production until end of Q3. Urgency is medium. To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal? N/A Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? No. Are there any portions of the project that interact with 3rd party services? Yes. (Third parties provide notification content.) Will your application/service collect user data? If so, please describe Unread/Undelivered notifications may persist on our servers for up to three days. We are providing an encryption option for messages. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): None. Desired Date of review (if known) and list of invitees: Date: When possible Invitees: ally@ dchen@ jbalogh@ jrconlin@ mconnor@
:jrconlin - we will triage the bug this Wed and get a lead assigned to gather background information. Reviews happen on M/W at 13:00 PST and Th/F at 10:00 PST. It per our calendar https://firstname.lastname@example.org/Security%20Review.html If there is an available date that works well for your team and their time zones it helps if we know that.
Whiteboard: [pending secreview] → [pending secreview][triage needed 2012.05.02]
Assignee: nobody → dchan+bugzilla
Status: NEW → ASSIGNED
Whiteboard: [pending secreview][triage needed 2012.05.02] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Added etherpad: https://etherpad.mozilla.org/NotificationsSecReview
Feature Page: https://wiki.mozilla.org/Features/Services/Notifications
Depends on: 765378
Depends on: 765383
Depends on: 765384
Depends on: 765385
marking this resolved-fixed as the review occurred, when all dependent bugs are fixed we can make this verified-fixed
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Please note: It is not known if the B2G Notifications system (see bug 763198) uses this back-end. If not, this should not indicate that the B2G Notifications backend has been successfully reviewed.
You need to log in before you can comment on or make changes to this bug.