Firefox3.1/Elliptical Border Security Review

From MozillaWiki
Jump to: navigation, search

Overview

This feature augments the -moz-border-radius CSS properties to allow quarter-ellipse corners as well as quarter-circle corners

Background links

Security and Privacy

  • What security issues do you address in your project?
    • A new CSS property is added. It is parsed using the existing CSS parser APIs
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
    • There are no config files or prefs.
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
    • Assumes that the gfx code to draw quarter-ellipses will not crash on edge cases, e.g. when one axis is zero and the other is nonzero.

Exported APIs

  • Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
    • No new interfaces.
  • Does it interoperate with a web service? How will it do so?
    • nope
  • Explain the significant file formats, names, syntax, and semantics.
  • Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
    • Yes, this is part of the css3-background spec, which is currently a Working Draft.
  • Does it change any existing interfaces?
    • The syntax of all -moz-border-radius* CSS properties is extended in a backward-compatible fashion.
    • Javascript which inspects those properties may see value formats it was not expecting (i.e. two values instead of one), but only if the extended feature is in use.
    • Internally, several style structures are changed to store pairs of values instead of single values for corner radii; see "storage formats" below
    • When css3-background reaches CR stage, the standardized names for these properties will be added and the existing names will become compatibility aliases. This will probably not happen in the Firefox 3.1 timeframe.

Module interactions

  • What other modules are used (REQUIRES in the makefile, interfaces)
    • nothing new

Data

  • What data is read or parsed by this feature
    • the -moz-border-radius* CSS properties
  • What is the output of this feature
    • pairs of CSS values
  • What storage formats are used
    • nsCSSCornerSizes (new)
    • nsCSSValuePair (modified)
    • nsCSSMargin (modified)
    • nsStyleCorners (new)
    • nsStyleBorder (modified)

Reliability

  • What failure modes or decision points are presented to the user?
    • If the property doesn't parse properly, then the user will see an error in the Error Console as with all malformed CSS properties
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
    • n/a

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
    • none
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
    • no
  • What ranges for the tunable are appropriate? How are they determined?
    • n/a
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
    • needs to track ongoing development of the css3-background spec
    • ultimately needs to be promoted from a vendor extension when css3-background is finalized

Relationships to other projects

Are there related projects in the community?

  • Safari has their own version of this extension which is not quite the same (but will presumably be brought in line with the standard eventually).

Review comments

Retrieved from "https://wiki.mozilla.org/index.php?title=Firefox3.1/Elliptical_Border_Security_Review&oldid=109847"