755950 - SecReview: Provide a thumbnail service

Status: RESOLVED WORKSFORME

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Tim, the security assurance team has some concerns over the protocol being used around this service and I believe we may want to look into this a bit deeper than what is happening for the privacy review. Please answer the questions below or assign this bug to someone who can take point on it that would be great.

1) Who is/are the point of contact(s) for this review?
2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4) Does this request block another bug? If so, please indicate the bug number
5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
8) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
9) Are there any portions of the project that interact with 3rd party services?
10) Will your application/service collect user data? If so, please describe
11) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

so the bug this is blocking is resolved yet the sec-review was not done...can you please update me on the status so we can get this scheduled/completed?

Comment 2

[Tim Taubert [:ttaubert] (inactive)]

This completely slipped off my plate, sorry. Feel free to ping me directly next time. The feature has already landed as you might know but I'll still try to answer some questions to get this done....

(In reply to Curtis Koenig [:curtisk] from comment #0)
> 1) Who is/are the point of contact(s) for this review?

Yoric and me I guess. There's also a couple more people in the Fx Desktop team that know how it works.

> 2) Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):

The thumbnail service captures thumbnails of pages the user visits to use them for various features in the product (e.g. about:newtab). We're also currently preparing a background service that will be able to load privacy-sensitive pages in "private mode" (without any cookies, etc.) to capture screenshot of those pages (bug 841495). We currently don't capture thumbnails of Facebook but with the new feature we'll capture the start page of it, without the user being logged in.

> 8) Does this feature or code change affect Firefox, Thunderbird or any
> product or service the Mozilla ships to end users?

Firefox. It's recently been moved to Toolkit so that Metro can use it, too. And maybe other products in the future.

> 9) Are there any portions of the project that interact with 3rd party
> services?

No.

> 10) Will your application/service collect user data? If so, please describe

Yes, screenshots of pages visited, stored in $ProfLD/thumbnails/. We do not capture thumbs for pages that send a Cache-Control:no-store header (bug 850685) but we currently still do for pages that for example have a CC:no-store iframe (bug 823829).