Security documentation for Social Integration providers




7 years ago
7 years ago


(Reporter: amuntner, Unassigned)


Firefox Tracking Flags

(Not tracked)


The security review identified the importance of giving good security advice to social integration providers.

The secreview wiki ( documents these as proposed or accepted remediations

The purpose of this bug is for tracking and review of the documentation/guidance to be created for social providers.

My take is that we need to offer two categories of documentation:

1. Guidance for developers
- Their code should never have the user login from the social window, only from the main browser window
- They should instruct their users that if they see a login request inside the social window, it's spoofed/unsafe and they should not use it
- Guide providers about safe strings to place in notifications - e.g. "Joe has come online" but not "Joe has a new update and here it is: XXXX"
- Information on what is blocked in the sandbox (plugins, etc)

2. Infrastructure
- How to deploy their code safely
- SocialAPI requires valid ssl certs, safebrowsing checks, same-origin policy of any urls in the manifest. 

Please expand this list as you see the need.
Duplicate of this bug: 771352
You need to log in before you can comment on or make changes to this bug.