Closed Bug 780311 Opened 12 years ago Closed 8 years ago

Security Review - Shumway SWF Runtime


( :: Security Assurance: Review Request, task)

Not set


(Not tracked)

Due Date:


(Reporter: bugs, Assigned: cpeterson)



(Whiteboard: [score=high][Fx] u= c= p=1 s=sprint 6 [shumway])

+++ This bug was initially created as a clone of Bug #779359 +++

Security review Q&As:

> 1. Who is/are the point of contact(s) for this review? 

  Jet Villegas
  Yury Delendik
  Tobias Schneider
  Shu-yu Guo
  Michael Bebenita
  Ian Melven

> 2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): 

  Shumway is an experimental web-native runtime implementation of the SWF file format. It is developed as a free and open source project sponsored by Mozilla Research. The project was started with two goals:

1. Advance the open web platform to process rich media formats, like SWF, that were previously only available in closed and proprietary implementations.
2. Offer a runtime processor for SWF and other rich media formats on platforms for which runtime implementations are not available.

> 3. Please provide links to additional information (e.g. feature  page, wiki) if available and not yet included in feature description:

> 4. Does this request block another bug? If so, please indicate the bug number 

> 5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? 

  Initial review: Mid-to-Late August 2012 with expected follow-up reviews thereafter.

> 6. To help prioritize this work request, does this project support  a goal specifically listed on this quarter's goal list?  If so, which  goal? 

The goal is to advance the overall Web Platform and offer a web-native SWF runtime initially for Mobile platforms.

> 7. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) 
>    * Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? 

      Adds SWF runtime feature to the Firefox for Android and Desktop: without external native plugin code.

>    * Are there any portions of the project that interact with 3rd party services? 

      Eventually, access to external http:// and https:// resources as SWF or other media types.

>    * Will your application/service collect user data? If so, please describe 


> 8. If you feel something is missing here or you would like to  provide other kind of feedback, feel free to do so here (no limits on  size): 

  This is a large effort to render an untrusted scriptable file format. Please design/review with appropriate care.

> 9. Desired Date of review (if known from and whom to invite. 

  Mid August 2012
No longer blocks: 776208
Summary: Security Review Plugin Overlay API → Security Review - Shumway SWF Runtime
Whiteboard: [pending secreview][triage needed 2012.08.08]
Assignee: nobody → dchan+bugzilla
Whiteboard: [pending secreview][triage needed 2012.08.08] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Is there a reason this review request is hidden? It's not a private feature, for example we announced today's review in the public platform meeting yesterday and in the wikimo notes.
unhiding, this was originally hidden as the blocked bug was hidden
Group: mozilla-confidential
Risk/Priority Ranking Exercise

Priority: 3 (P3) - Overall Mozilla Quarterly Goal

Operational: 0 - N/A
User: 4 - Critical
Privacy: 4 - Critical
Engineering: 4 - Critical
Reputational: 3 - Major

Priority Score: 45
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Score:45:Medium]
Jet: What is the status of Shumway? I should have free time after Firefox OS v1 to look at this.
Flags: needinfo?(bugs)
We're now in the release planning stage for our 0.9 release. This release will focus on the click-to-play Flash preview use-case. It will integrate with a modifications to our existing click-to-play plugin system. We'll schedule sec-review when we have more of the infrastructure in place.
Flags: needinfo?(bugs)
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Score:45:Medium] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Score:45:Medium][Fx]
Given activity at the summit we should likely restart this work as this is now landed in nightly but pref-ed off
Flags: needinfo?(dchan+bugzilla)
Depends on: 923205
This review will take us multiple sprints to finish. I'm talking with mwobensmith on testing. We may also need to create the architectural diagram. Ideally the security model would be the exact same as Adobe's Flashplayer minus the NPAPI bridge and the chrome/content communication we do for Shumway.
Flags: needinfo?(dchan)
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd][Score:45:Medium][Fx] → [score:high][Fx] u= c= p=1 s=ready
Whiteboard: [score:high][Fx] u= c= p=1 s=ready → [score=high][Fx] u= c= p=1 s=ready
If it makes sense to split this up into review components, I might be interested in testing cross domain policy support and ExternalInterface (communication with the DOM via Flash).
Whiteboard: [score=high][Fx] u= c= p=1 s=ready → [score=high][Fx] u= c= p=1 s=sprint 2
Whiteboard: [score=high][Fx] u= c= p=1 s=sprint 2 → [score=high][Fx] u= c= p=1 s=sprint 4
Whiteboard: [score=high][Fx] u= c= p=1 s=sprint 4 → [score=high][Fx] u= c= p=1 s=sprint 5
Whiteboard: [score=high][Fx] u= c= p=1 s=sprint 5 → [score=high][Fx] u= c= p=1 s=sprint 6
Curtis: what do you need to drive the Shumway security review forward?
Flags: needinfo?(curtisk)
(In reply to Chris Peterson (:cpeterson) from comment #11)
> Curtis: what do you need to drive the Shumway security review forward?

actually it's dchan who is on point for this one
Flags: needinfo?(curtisk) → needinfo?(dchan)
Whiteboard: [score=high][Fx] u= c= p=1 s=sprint 6 → [score=high][Fx] u= c= p=1 s=sprint 6 [shumway:m2]
Whiteboard: [score=high][Fx] u= c= p=1 s=sprint 6 [shumway:m2] → [score=high][Fx] u= c= p=1 s=sprint 6 [shumway]
Blocks: shumway-m4
Assignee: dchanm+bugzilla → nobody
Flags: needinfo?(dchanm+bugzilla)
Assignee: nobody → cpeterson
This Shumway bug is no longer relevant.
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.