Security documentation for Social Integration providers

NEW
Unassigned

Status

()

Firefox
SocialAPI
6 years ago
6 years ago

People

(Reporter: adamm, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

The security review identified the importance of giving good security advice to social integration providers.

The secreview wiki (https://wiki.mozilla.org/Security/Reviews/SocialAPI) documents these as proposed or accepted remediations

The purpose of this bug is for tracking and review of the documentation/guidance to be created for social providers.

My take is that we need to offer two categories of documentation:

1. Guidance for developers
- Their code should never have the user login from the social window, only from the main browser window
- They should instruct their users that if they see a login request inside the social window, it's spoofed/unsafe and they should not use it
- Guide providers about safe strings to place in notifications - e.g. "Joe has come online" but not "Joe has a new update and here it is: XXXX"
- Information on what is blocked in the sandbox (plugins, etc)

2. Infrastructure
- How to deploy their code safely
- SocialAPI requires valid ssl certs, safebrowsing checks, same-origin policy of any urls in the manifest. 

Please expand this list as you see the need.
(Reporter)

Updated

6 years ago
Duplicate of this bug: 771352
You need to log in before you can comment on or make changes to this bug.