Status

mozilla.org
Security Assurance: Review Request
6 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: dveditz)

Tracking

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][Fx])

(Reporter)

Description

6 years ago
(Scope: bugs tracked by bug 816381)

Is expiration likely to confuse web servers?  Should we expire [tabs from the same site] as a group?

What happens to a cross-window reference to an expired tab?  Will we confuse sites by saying that window.closed is true, and then making the tab reappear?  Should we expire [tabs that can reference each other], aka "constellations", as a group?

What happens if a page is being expired and has an onbeforeunload, onunload, or onpagehide handler?  Keep in mind that pages can do unexpected things in response to these events, such as showing dialogs (see bug 578828 and bug 391834), closing themselves or other tabs (thus changing the number of tabs), or spinning a nested event loop.

Does tab expiration violate assumptions in the Session Restore and Layout History code?  It's the first time we're restoring within a single session.  It's also the first time we're allowing the user to browse between saving a tab and {closing the browser, restoring the tab}.

It would be nice to be able to fuzz expiration.  (Currently, I'm not fuzzing session restore at all, because doing things across instances is hard!)  I'd love an API that let me control which top-level window objects should expire or un-expire.  In Firefox desktop.  (Such an API would also be good for regression testing, and for add-ons like BarTab.)
1) Who is/are the point of contact(s) for this review?
2) Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
3) Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
4) Does this request block another bug? If so, please indicate the bug number
5) This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
6) To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list?  If so, which goal?
7) Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
7a) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
7b) Are there any portions of the project that interact with 3rd party services?
7c) Will your application/service collect user data? If so, please describe
8) If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
9) Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.
Flags: needinfo?
Whiteboard: [pending secreview]
Curtis, who do you need info from?
Flags: needinfo?
(In reply to Brad Lassey [:blassey] from comment #2)
> Curtis, who do you need info from?

Anyone who can answer the questions in comment 1
It looks like this sec review covers both desktop and Android. I can be the Android contact for this.

(In reply to Curtis Koenig [:curtisk] from comment #1)
> 1) Who is/are the point of contact(s) for this review?

Me (for android)

> 2) Please provide a short description of the feature / application (e.g.
> problem solved, use cases, etc.):

https://staktrace.com/spout/entry.php?id=782

> 5) This review will be scheduled amongst other requested reviews. What is
> the urgency or needed completion date of this review?

The relevant code (again, for Android) has already landed in FF19. Probably a good idea to have the review done before it ships sometime in February.

> 6) To help prioritize this work request, does this project support a goal
> specifically listed on this quarter's goal list?  If so, which goal?

It supports the "Support shipping ARMv6" goal listed at https://wiki.mozilla.org/Platform/2012-Q4-Goals#Mobile

> 7) Please answer the following few questions: (Note: If you are asked to
> describe anything, 1-2 sentences shall suffice.)
> 7a) Does this feature or code change affect Firefox, Thunderbird or any
> product or service the Mozilla ships to end users?

Affects Firefox for Android.

> 7b) Are there any portions of the project that interact with 3rd party
> services?

Nope.

> 7c) Will your application/service collect user data? If so, please describe

We added some telemetry probes in bug 808003 to see how often tabs were getting zombified. No other user data is collected.
Whiteboard: [pending secreview] → [pending secreview][triage needed]
(Assignee)

Updated

6 years ago
Assignee: nobody → dveditz
(Assignee)

Updated

6 years ago
Whiteboard: [pending secreview][triage needed] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
(Assignee)

Updated

5 years ago
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy][Fx]
You need to log in before you can comment on or make changes to this bug.