Security/l20n

Date of discussion:

• 2011.04.11

Participants:

• Lucas Adamski
• Curtis Koenig
• Gandalf
• Brandon Sterne
• Dan Veditz

Background:

• New localization format (l20n) targeted for Firefox 7
• Uses a JavaScript object that is name-value pair that is in its own context
• Compatibility with Electrolysis and add-ons being explored

Security Concerns:

• XUL, HTML, XML can inject into the localization with the name of the entity and expand into the DOM node
• XBL cannot be whitelisted for safe function, need to determine what attributes can be whitelisted
• More documentation is needed for the feature in order to explore possible issues
• Since there can be a runtime compile for add-ons this will need further testing

Responses:

• Items are at all times a string
• Access key, label, tooltip and value are defaulted and safe
• String bundle and property files become a localization object in l20n

To-Do:

• need the l20n file format, compiler, annotated grammar and example JS file for analysis