Closed Bug 859201 Opened 11 years ago Closed 11 years ago

[Contacts] The Contacts App Should NOT be using the mozKeyboard API

Categories

(Firefox OS Graveyard :: Gaia::Contacts, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Contacts
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:leo+, b2g18+ fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 unaffected)

Status:
RESOLVED FIXED
Project Flags:
blocking-b2g leo+
Tracking Flags:
Tracking Status
b2g18 + fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- unaffected

People

(Reporter: evanxd, Assigned: timdream)

References

Details

Attachments

(1 file)

Github: https://github.com/mozilla-b2g/gaia/pull/9248
45 bytes, text/x-github-pull-request
alberto.pastor
: review+
Details | Review 
In the contacts.js file, the goToSelectTag function used the mozKeyboard.removeFocus() API.

See in the Gaia master:
https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/js/contacts.js#L403

We thought the Contacts App should not use the mozKeyboard API.
Can we replace this with document.activeElement.blur() instead?

mozKeyboard API has security implication too; we should remove this permission from the production phone.
blocking-b2g: --- → tef?
status-b2g18: --- → affected
status-b2g18-v1.0.0: --- → wontfix
status-b2g18-v1.0.1: --- → affected
tracking-b2g18: --- → ?
Flags: needinfo?(francisco.jordano)
Summary: [Contacts] The Contacts App Should NOT use the mozKeyboard API. → [Contacts] The Contacts App Should NOT be using the mozKeyboard API
I am sorry I needinfo the wrong person :-/
Flags: needinfo?(francisco.jordano)
Now this is the right set of the person to CC to.
Depends on: 833231
Assignee: nobody → francisco.jordano
Stealing, I have verified my comment 1 works with STR in bug 833231 comment 0.
Assignee: francisco.jordano → timdream
Not blocking for now, doesn't seem user critical.

Tim - can you renominate with justification? If it's a security issue, please make sure to sync up with Paul and make sure he agrees this is critical to fix for v1.0.1. We'd rather not take a change here.
blocking-b2g: tef? → -
This seems like a pretty simple change for a big risk gain here. Its not directly exploitable, but given the contacts app has a relatively large attack surface with the facebook integration etc (as opposed to the keybaord app which is completely local) I think this is worth fixing. Especially given how simple a change this is.
blocking-b2g: - → tef?
Er, first sentence should read: retty simple change for a big risk MITIGATION...
(In reply to Paul Theriault [:pauljt] from comment #8)
> This seems like a pretty simple change for a big risk gain here. Its not
> directly exploitable, but given the contacts app has a relatively large
> attack surface with the facebook integration etc (as opposed to the keybaord
> app which is completely local) I think this is worth fixing. Especially
> given how simple a change this is.

I agree, pretty simple change for a big win
Comment on attachment 738579 [details] [review]
Github: https://github.com/mozilla-b2g/gaia/pull/9248

\o/ 
Tests passing locally.
Thanks!
Attachment #738579 - Flags: review?(alberto.pastor) → review+
Is v1.0.1 even affected? Bug 855175 appears to have only landed to v1.1. If that's correct, please leo? instead
status-b2g18-v1.0.1: affected?
Flags: needinfo?(alberto.pastor)
Right, bug 833231 only lands on v1-train.
blocking-b2g: tef? → leo?
status-b2g18-v1.0.1: ?unaffected
Flags: needinfo?(alberto.pastor)
master: https://github.com/mozilla-b2g/gaia/commit/48415d26d6821bdadd4a43d7ccc2a87672cc0bdf
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
blocking-b2g: leo? → leo+
Uplifted 48415d26d6821bdadd4a43d7ccc2a87672cc0bdf to:
v1-train: 7138457c3ff9461b531f07e2c956c0129f962eb6
status-b2g18: affectedfixed
Flags: in-moztrap-
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: