The security review identified the importance of giving good security advice to social integration providers. The secreview wiki (https://wiki.mozilla.org/Security/Reviews/SocialAPI) documents these as proposed or accepted remediations The purpose of this bug is for tracking and review of the documentation/guidance to be created for social providers. My take is that we need to offer two categories of documentation: 1. Guidance for developers - Their code should never have the user login from the social window, only from the main browser window - They should instruct their users that if they see a login request inside the social window, it's spoofed/unsafe and they should not use it - Guide providers about safe strings to place in notifications - e.g. "Joe has come online" but not "Joe has a new update and here it is: XXXX" - Information on what is blocked in the sandbox (plugins, etc) 2. Infrastructure - How to deploy their code safely - SocialAPI requires valid ssl certs, safebrowsing checks, same-origin policy of any urls in the manifest. Please expand this list as you see the need.
You need to log in before you can comment on or make changes to this bug.