Closed
Bug 764679
Opened 13 years ago
Closed 13 years ago
SecReview: Script Debugger: prefs
Categories
(DevTools :: Debugger, defect)
DevTools
Debugger
Tracking
(firefox15 fixed)
RESOLVED
FIXED
Firefox 16
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | fixed |
People
(Reporter: curtisk, Assigned: past)
References
()
Details
(Whiteboard: [action item])
Attachments
(1 file, 1 obsolete file)
|
8.55 KB,
patch
|
dcamp
:
review+
vingtetun
:
review+
jgriffin
:
review+
mfinkle
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
SecReview tracking bug
2 prefs - allow debugging via localhost / allow debugging via anywhere. Both disabled by default
|
Assignee | |
Comment 1•13 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #0)
> SecReview tracking bug
> 2 prefs - allow debugging via localhost / allow debugging via anywhere. Both
> disabled by default
The way I remember this requirement is that we wanted one additional pref to the one added (or rather enforced) in bug 758696: devtools.debugger.remote-enabled, that allows connections through the remote protocol, over the loopback or other interfaces. The new pref, which I will suggest we name devtools.debugger.local-only, will force the debugger server to bind to the loopback interface if true, instead of all the interfaces, as it currently does.
Status: NEW → ASSIGNED
|
||
Comment 2•13 years ago
|
||
(In reply to Panos Astithas [:past] from comment #1)
> The way I remember this requirement is that we wanted one additional pref to
> the one added (or rather enforced) in bug 758696:
> devtools.debugger.remote-enabled, that allows connections through the remote
> protocol, over the loopback or other interfaces.
This is my recollection also.
|
|
Assignee | |
Comment 3•13 years ago
|
||
This patch works as advertised in my tests on a B2G phone. I have used a conservative default of having the listener bound to the loopback interface only. This is in accordance with the default we picked in bug 758696 of 'Cancel', for the users who don't know any better. If you feel that the usability gains from binding to all interfaces by default (debugging over WiFi), trump any security concerns, let me know.
Attachment #633100 -
Flags: review?(rcampbell)
|
|
Assignee | |
Comment 4•13 years ago
|
||
Comment on attachment 633100 [details] [diff] [review]
Working patch
Passing the review over to Dave, since Rob is on PTO.
Attachment #633100 -
Flags: review?(rcampbell) → review?(dcamp)
|
|
Assignee | |
Comment 5•13 years ago
|
||
Dave made a good point that we don't need to provide callers with the ability to limit binding on the loopback interface, since nobody seems to want that.
Attachment #633100 -
Attachment is obsolete: true
Attachment #633100 -
Flags: review?(dcamp)
Attachment #634463 -
Flags: review?(dcamp)
|
||
Updated•13 years ago
|
Attachment #634463 -
Flags: review?(dcamp) → review+
|
|
Assignee | |
Comment 6•13 years ago
|
||
Comment on attachment 634463 [details] [diff] [review]
Patch v2
Fennec, B2G and Marionette patches are one-liner cleanups, but let's keep this by the book.
Attachment #634463 -
Flags: review?(mark.finkle)
Attachment #634463 -
Flags: review?(jgriffin)
Attachment #634463 -
Flags: review?(21)
|
||
Updated•13 years ago
|
Attachment #634463 -
Flags: review?(jgriffin) → review+
|
||
Updated•13 years ago
|
Attachment #634463 -
Flags: review?(mark.finkle) → review+
Attachment #634463 -
Flags: review?(21) → review+
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: [action item] → [action item][land-in-fx-team]
|
|
Assignee | |
Comment 7•13 years ago
|
||
Whiteboard: [action item][land-in-fx-team] → [action item][fixed-in-fx-team]
|
|
Assignee | |
Comment 8•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/576e10abf824
There is no Target Milestone field in this bug, but this was fixed in Firefox 16.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [action item][fixed-in-fx-team] → [action item]
|
|
Assignee | |
Comment 9•13 years ago
|
||
Curtis, can I change the product/component of this bug to Developer Tools: Debugger? I can't seem to be able to nominate the patch for aurora uplift as it is.
|
Reporter | |
Comment 10•13 years ago
|
||
Panos - sure, as long as we can keep blocking the sec review bug as well I am fine with that, I use these action items as blockers of the review bug so I can track progress and know when things are done.
|
|
Assignee | |
Comment 11•13 years ago
|
||
OK, thanks.
Component: Security Assurance → Developer Tools: Debugger
Product: mozilla.org → Firefox
QA Contact: security-assurance → developer.tools.debugger
Target Milestone: --- → Firefox 16
Version: other → Trunk
|
|
Assignee | |
Comment 12•13 years ago
|
||
Comment on attachment 634463 [details] [diff] [review]
Patch v2
[Approval Request Comment]
Bug caused by (feature/regressing bug #): New feature
User impact if declined: No visible user impact, but security review has deemed this an important protection against potential abuse
Testing completed (on m-c, etc.): On m-c and fx-team
Risk to taking this patch (and alternatives if risky): Pretty trivial patch on a developer-only feature
String or UUID changes made by this patch: none
Attachment #634463 -
Flags: approval-mozilla-aurora?
|
||
Comment 13•13 years ago
|
||
Comment on attachment 634463 [details] [diff] [review]
Patch v2
[Triage Comment]
Trivial patch, the security team considers this important, approved for Aurora 15.
Attachment #634463 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 14•13 years ago
|
||
status-firefox15:
--- → fixed
|
||
Updated•7 years ago
|
Product: Firefox → DevTools
You need to log in
before you can comment on or make changes to this bug.
Description
•