860268 - Security review for discovering and installing additional Social API providers

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Comment 1

[Simon Bennetts [:psiinon]]

Hum, did I set the flags wrong?
Didnt expect is to go all yellow ... ;)

Comment 2

[Simon Bennetts [:psiinon]]

Scheduling the secreview for Monday 6th May.
Who should be invited from the dev team?

Comment 3

[:Gavin Sharp [email: gavin@gavinsharp.com]]

I'd suggest myself, Shane and felipe at a minimum. Markh might be interested as well.

Comment 4

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=250699-250698&pstat=AC&exInvId=250699-312992&useInstance=1&instStartTime=1367870400000&instDuration=3600000

Subject: SecReview: discovering and installing additional Social API providers

Location:"MTV-3V Very Good Very Mighty" <3v@mozilla.com>; "SFO 319 Golden Gate Bridge" <sfo319@mozilla.com>

Resources: "MTV-3V Very Good Very Mighty" <3v@mozilla.com>; "SFO 319 Golden Gate Bridge" <sfo319@mozilla.com>

Time: Monday, May 6, 2013, 1:00:00 PM - 2:00:00 PM GMT -08:00 US/Canada Pacific *~*~*~*~*~*~*~*~*~*

Meeting Details:
* Mon. 6-May-2013, 1300 PST
* Where:
- MTV: 3V-Very Good Very Mighty
- SFO: 319 Golden Gate Bridge
- Vidyo(9710) secreview [https://v.mozilla.com/flex.html?roomdirect.html&key=EEtiuXn8C5EP]
* IRC Channel: #security
* Etherpad: http://etherpad.mozilla.com/secreview
* Dial-in Info (phone):
- In office or soft phone: extension 92
- US/INTL: 650-903-0800 or 650-215-1282 then extension 92
- Toronto: 416-848-3114 then extension 92
- Toll-free: 800-707-2533 then password 369
- Conference num 99710

Items to be reviewed:
https://bugzilla.mozilla.org/show_bug.cgi?id=860268
https://bugzilla.mozilla.org/show_bug.cgi?id=786133

Agenda:
* Introduce Feature (5-10 minutes) [can be answered ahead of time to save meeting time]
- Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- What solutions/approaches were considered other than the proposed solution?
- Why was this solution chosen?
- Any security threats already considered in the design and why?
* Threat Brainstorming (30-40 minutes)
* Conclusions / Action Items (10-20 minutes)

Comment 5

[Simon Bennetts [:psiinon]]

I've started some documentation here: https://mana.mozilla.org/wiki/display/SECURITY/Social+API+multi-providers+Security+Review

mixedpuppy: can you see this? If so whats missing?

Comment 6

[Shane Caraveo (:mixedpuppy)]

(In reply to Simon Bennetts [:psiinon] from comment #5)
> I've started some documentation here:
> https://mana.mozilla.org/wiki/display/SECURITY/Social+API+multi-
> providers+Security+Review
> 
> mixedpuppy: can you see this? If so whats missing?

looks ok, the second bullet in the concerns section (able to install second time before uninstall is complete) is merely bug 862314 that needs to be fixed.

Comment 7

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

SecReview: https://wiki.mozilla.org/SocialAPIMultiProvider

Comment 8

[Shane Caraveo (:mixedpuppy)]

Attachment: upgrade manifest from reactivation

This allows a provider to update the manifest and have it take affect without restarting firefox.  If the provider is the current provider, it is completely reloaded.  The "undo" panel is shown again, which isn't quite appropriate, but we wont be able to change strings (ie. we should uplift this to fx23)

Comment 9

[Shane Caraveo (:mixedpuppy)]

Comment on attachment 763717 [details] [diff] [review]
upgrade manifest from reactivation

argh.  added to wrong bug, I should eat first I guess.