Closed
Bug 859201
Opened 11 years ago
Closed 11 years ago
[Contacts] The Contacts App Should NOT be using the mozKeyboard API
Categories
(Firefox OS Graveyard :: Gaia::Contacts, defect)
Tracking
(blocking-b2g:leo+, b2g18+ fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 unaffected)
RESOLVED
FIXED
blocking-b2g | leo+ |
Tracking | Status | |
---|---|---|
b2g18 | + | fixed |
b2g18-v1.0.0 | --- | wontfix |
b2g18-v1.0.1 | --- | unaffected |
People
(Reporter: evanxd, Assigned: timdream)
References
Details
Attachments
(1 file)
In the contacts.js file, the goToSelectTag function used the mozKeyboard.removeFocus() API. See in the Gaia master: https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/js/contacts.js#L403 We thought the Contacts App should not use the mozKeyboard API.
Assignee | ||
Comment 1•11 years ago
|
||
Can we replace this with document.activeElement.blur() instead? mozKeyboard API has security implication too; we should remove this permission from the production phone.
blocking-b2g: --- → tef?
status-b2g18:
--- → affected
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → affected
tracking-b2g18:
--- → ?
Flags: needinfo?(francisco.jordano)
Assignee | ||
Updated•11 years ago
|
Summary: [Contacts] The Contacts App Should NOT use the mozKeyboard API. → [Contacts] The Contacts App Should NOT be using the mozKeyboard API
Assignee | ||
Comment 2•11 years ago
|
||
I am sorry I needinfo the wrong person :-/
Flags: needinfo?(francisco.jordano)
Assignee | ||
Comment 3•11 years ago
|
||
Now this is the right set of the person to CC to.
Depends on: 833231
Updated•11 years ago
|
Updated•11 years ago
|
Assignee: nobody → francisco.jordano
Assignee | ||
Comment 4•11 years ago
|
||
Stealing, I have verified my comment 1 works with STR in bug 833231 comment 0.
Assignee: francisco.jordano → timdream
Assignee | ||
Comment 5•11 years ago
|
||
Attachment #738579 -
Flags: review?(alberto.pastor)
Comment 6•11 years ago
|
||
Thanks Tim!
Comment 7•11 years ago
|
||
Not blocking for now, doesn't seem user critical. Tim - can you renominate with justification? If it's a security issue, please make sure to sync up with Paul and make sure he agrees this is critical to fix for v1.0.1. We'd rather not take a change here.
blocking-b2g: tef? → -
Comment 8•11 years ago
|
||
This seems like a pretty simple change for a big risk gain here. Its not directly exploitable, but given the contacts app has a relatively large attack surface with the facebook integration etc (as opposed to the keybaord app which is completely local) I think this is worth fixing. Especially given how simple a change this is.
blocking-b2g: - → tef?
Comment 9•11 years ago
|
||
Er, first sentence should read: retty simple change for a big risk MITIGATION...
Comment 10•11 years ago
|
||
(In reply to Paul Theriault [:pauljt] from comment #8) > This seems like a pretty simple change for a big risk gain here. Its not > directly exploitable, but given the contacts app has a relatively large > attack surface with the facebook integration etc (as opposed to the keybaord > app which is completely local) I think this is worth fixing. Especially > given how simple a change this is. I agree, pretty simple change for a big win
Comment 11•11 years ago
|
||
Comment on attachment 738579 [details] [review] Github: https://github.com/mozilla-b2g/gaia/pull/9248 \o/ Tests passing locally. Thanks!
Attachment #738579 -
Flags: review?(alberto.pastor) → review+
Comment 12•11 years ago
|
||
Is v1.0.1 even affected? Bug 855175 appears to have only landed to v1.1. If that's correct, please leo? instead
Flags: needinfo?(alberto.pastor)
Assignee | ||
Comment 13•11 years ago
|
||
Right, bug 833231 only lands on v1-train.
Assignee | ||
Comment 14•11 years ago
|
||
master: https://github.com/mozilla-b2g/gaia/commit/48415d26d6821bdadd4a43d7ccc2a87672cc0bdf
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
blocking-b2g: leo? → leo+
Comment 15•11 years ago
|
||
Uplifted 48415d26d6821bdadd4a43d7ccc2a87672cc0bdf to: v1-train: 7138457c3ff9461b531f07e2c956c0129f962eb6
Updated•11 years ago
|
Flags: in-moztrap-
Updated•11 years ago
|
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in
before you can comment on or make changes to this bug.
Description
•