Security/Reviews/MarionetteCLIAll

From MozillaWiki
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Item Reviewed

Add --marionette CLI to enable Marionette on all Firefox builds
Target 
   
     Full Query
ID Summary Priority Status
870445 Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED
870576 SecReview: Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

Previous Review:

{{#set:SecReview name=Add --marionette CLI to enable Marionette on all Firefox builds

|SecReview target=

Full Query
ID Summary Priority Status
870445 Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED
870576 SecReview: Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

Previous Review:

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • W3C spec for WebDriver (our implementation)
    • there are other implementations (Firefox Driver)
    • Similar to Mozmill
    • Key framework to B2G (built into Gecko to simplify a lot of work, since B2G does not support extensions)
  • SocialAPI people would like to use this for automation
  • in the past this was for debug builds only
    • social API has asked for this in optimized builds
    • to gain further audience for test automation
  • Chromium and Opera are also doing this in optimized builds
  • This review is just for Firefox Desktop

What solutions/approaches were considered other than the proposed solution?

  • based on what the SocialAPI team wants, there are currently no other ways to support this
  • use Firefox Driver
    • this supports content only, and we need some items in chrome

Why was this solution chosen?

  • reasons above

Any security threats already considered in the design and why?

`

Threat Brainstorming

  • https://bugzilla.mozilla.org/show_bug.cgi?id=741812
    • [Security Review][Action Item]Marionette - AMO Review Information
    • won't fix
    • need to re-open this bug given other information from this review
  • https://bugzilla.mozilla.org/show_bug.cgi?id=741813
    • [Security Review][Action Item] Marionette - pref
    • won't fix
    • this may have been fixed by the use of startup flags
    • Still wontfix now because we won't be able to enable Marionette with just a pref anymore
  • what has been done to keep an add-on from using this
    • nothing to date
  • why do we have prefs if we have command line
    • prefs hold other information (i.e. port) not simply a start/stop kind of pref
  • [sidenote for B2G] On B2G, it listens to everything, we should restrict this to localhost (already done for Firefox)
  • We could prefix with a note in parenthesis/braces in stdout for debug information that gets sent to hosts other than localhost

{{#set: SecReview feature goal=* W3C spec for WebDriver (our implementation)

    • there are other implementations (Firefox Driver)
    • Similar to Mozmill
    • Key framework to B2G (built into Gecko to simplify a lot of work, since B2G does not support extensions)
  • SocialAPI people would like to use this for automation
  • in the past this was for debug builds only
    • social API has asked for this in optimized builds
    • to gain further audience for test automation
  • Chromium and Opera are also doing this in optimized builds
  • This review is just for Firefox Desktop

|SecReview alt solutions=* based on what the SocialAPI team wants, there are currently no other ways to support this

  • use Firefox Driver
    • this supports content only, and we need some items in chrome

|SecReview solution chosen=* reasons above |SecReview threats considered=' |SecReview threat brainstorming=* https://bugzilla.mozilla.org/show_bug.cgi?id=741812

    • [Security Review][Action Item]Marionette - AMO Review Information
    • won't fix
    • need to re-open this bug given other information from this review
  • https://bugzilla.mozilla.org/show_bug.cgi?id=741813
    • [Security Review][Action Item] Marionette - pref
    • won't fix
    • this may have been fixed by the use of startup flags
    • Still wontfix now because we won't be able to enable Marionette with just a pref anymore
  • what has been done to keep an add-on from using this
    • nothing to date
  • why do we have prefs if we have command line
    • prefs hold other information (i.e. port) not simply a start/stop kind of pref
  • [sidenote for B2G] On B2G, it listens to everything, we should restrict this to localhost (already done for Firefox)
  • We could prefix with a note in parenthesis/braces in stdout for debug information that gets sent to hosts other than localhost

}}

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
  • Marionette Team :: reopen and address 741812 for AMO :: before enabling in optimize builds

{{#set:|SecReview action item status=In Progress

|Feature version=` |SecReview action items=* Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)

  • Marionette Team :: reopen and address 741812 for AMO :: before enabling in optimize builds

}}

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/MarionetteCLIAll&oldid=655446"