Closed Bug 771353 Opened 12 years ago Closed 5 years ago

Security documentation for Social Integration providers

Categories

(Firefox Graveyard :: SocialAPI, defect)

Product:
Firefox Graveyard
Component:
SocialAPI
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: amuntner, Unassigned)

References

Details

The security review identified the importance of giving good security advice to social integration providers.

The secreview wiki (https://wiki.mozilla.org/Security/Reviews/SocialAPI) documents these as proposed or accepted remediations

The purpose of this bug is for tracking and review of the documentation/guidance to be created for social providers.

My take is that we need to offer two categories of documentation:

1. Guidance for developers
- Their code should never have the user login from the social window, only from the main browser window
- They should instruct their users that if they see a login request inside the social window, it's spoofed/unsafe and they should not use it
- Guide providers about safe strings to place in notifications - e.g. "Joe has come online" but not "Joe has a new update and here it is: XXXX"
- Information on what is blocked in the sandbox (plugins, etc)

2. Infrastructure
- How to deploy their code safely
- SocialAPI requires valid ssl certs, safebrowsing checks, same-origin policy of any urls in the manifest. 

Please expand this list as you see the need.
SocialAPI was removed from Firefox 57 and is no longer available in any current release.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.