[Contacts] The Contacts App Should NOT be using the mozKeyboard API

RESOLVED FIXED

Status

Firefox OS
Gaia::Contacts
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: evanxd, Assigned: timdream)

Tracking

unspecified
x86
Mac OS X
Dependency tree / graph
Bug Flags:
in-moztrap -

Firefox Tracking Flags

(blocking-b2g:leo+, b2g18+ fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 unaffected)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
In the contacts.js file, the goToSelectTag function used the mozKeyboard.removeFocus() API.

See in the Gaia master:
https://github.com/mozilla-b2g/gaia/blob/master/apps/communications/contacts/js/contacts.js#L403

We thought the Contacts App should not use the mozKeyboard API.
Can we replace this with document.activeElement.blur() instead?

mozKeyboard API has security implication too; we should remove this permission from the production phone.
blocking-b2g: --- → tef?
status-b2g18: --- → affected
status-b2g18-v1.0.0: --- → wontfix
status-b2g18-v1.0.1: --- → affected
tracking-b2g18: --- → ?
Flags: needinfo?(francisco.jordano)
Summary: [Contacts] The Contacts App Should NOT use the mozKeyboard API. → [Contacts] The Contacts App Should NOT be using the mozKeyboard API
I am sorry I needinfo the wrong person :-/
Flags: needinfo?(francisco.jordano)
Now this is the right set of the person to CC to.
Depends on: 833231
tracking-b2g18: ? → +
Assignee: nobody → francisco.jordano
Stealing, I have verified my comment 1 works with STR in bug 833231 comment 0.
Assignee: francisco.jordano → timdream

Comment 7

5 years ago
Not blocking for now, doesn't seem user critical.

Tim - can you renominate with justification? If it's a security issue, please make sure to sync up with Paul and make sure he agrees this is critical to fix for v1.0.1. We'd rather not take a change here.
blocking-b2g: tef? → -
This seems like a pretty simple change for a big risk gain here. Its not directly exploitable, but given the contacts app has a relatively large attack surface with the facebook integration etc (as opposed to the keybaord app which is completely local) I think this is worth fixing. Especially given how simple a change this is.
blocking-b2g: - → tef?
Er, first sentence should read: retty simple change for a big risk MITIGATION...

Comment 10

5 years ago
(In reply to Paul Theriault [:pauljt] from comment #8)
> This seems like a pretty simple change for a big risk gain here. Its not
> directly exploitable, but given the contacts app has a relatively large
> attack surface with the facebook integration etc (as opposed to the keybaord
> app which is completely local) I think this is worth fixing. Especially
> given how simple a change this is.

I agree, pretty simple change for a big win

Comment 11

5 years ago
Comment on attachment 738579 [details] [review]
Github: https://github.com/mozilla-b2g/gaia/pull/9248

\o/ 
Tests passing locally.
Thanks!
Attachment #738579 - Flags: review?(alberto.pastor) → review+
Is v1.0.1 even affected? Bug 855175 appears to have only landed to v1.1. If that's correct, please leo? instead
status-b2g18-v1.0.1: affected → ?
Flags: needinfo?(alberto.pastor)
Right, bug 833231 only lands on v1-train.
blocking-b2g: tef? → leo?
status-b2g18-v1.0.1: ? → unaffected
Flags: needinfo?(alberto.pastor)
master: https://github.com/mozilla-b2g/gaia/commit/48415d26d6821bdadd4a43d7ccc2a87672cc0bdf
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
blocking-b2g: leo? → leo+
Uplifted 48415d26d6821bdadd4a43d7ccc2a87672cc0bdf to:
v1-train: 7138457c3ff9461b531f07e2c956c0129f962eb6
status-b2g18: affected → fixed

Updated

5 years ago
Flags: in-moztrap-
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in before you can comment on or make changes to this bug.