Security/Automation/Winter Of Security 2016/Ringleader Support for e10s

From MozillaWiki
Jump to: navigation, search
WinterOfSecurity logo light horizontal.png

Team

Introduction

We are students of JIIT, Noida in India. All three of us are open-source fanatics with experience in different fields.

We all are members of the Open source society of our college. This society has been running for many years and we all share our adventures, learning and passion for Open Source Development.


Members

Project

Description

FxPnH is a Firefox addon which makes it possible to use Firefox with Plug-n-Hack providers.

Success Criteria

This project is successful if:

Timeframe: March 2017.

Updates

Week One (2016-10-14)

  • Discussed current issues and the potential outcomes
    • Retain support for GCLI configuration and service command
    • Support for extracting TLS keys to allow non-terminating inspection / modification of TLS traffic
    • Already setup the project

Week Two (2016-10-21)

  • Possible workarounds for fixing electrolysis
    • Split addon into 2 parts - content scripts (only interact with document) & addon
    • Use higher level SDKs for now, instead of WebExensions - since WebExtensions might not have required functionalities
    • Configure -> browser to proxy - get configuration & local certificate to install
    • Start Fff - make sure ZAP is running. Go to url on ZAP: http://localhost:8080/pnh/?apikey=KEY
    • Point to running ZAP instance

Week Three (2016-11-03)

  • Starting through the addon code
    • Discussion about the sample multi-process extension created by Mark .
    • Getting HTML page from ZAP then sent to Ringleader and then interaction.
    • Make version of addon to do setup part of configuration successfully.

Week Four (2016-11-15)

  • Security check that user inputs makes that event fired and not some script:
    • handleSetup function is only called on user mouse click or keyboard input.
  • Current config name -- No configuration is being saved.
  • Channels on irc #addons - ask about storage being visible/accessible.

Week Five (2016-11-24)

  • Tab ID not necessary as of now -- it’s an addition.
  • Compare tabID from window and one from channel to confirm that the new API's tab key is correct and reliable.
  • Why are `getKeyFromContext` and `getDocumentFromContext`:
    • When a command was specified by the tool and could include a descriptor to specify what data to send to the tool.
    • Allow commands to send data to tool even if not explicitly specified.
  • Try and get gcli working upstream but don’t let it block -- thus, use webpack generated file for now.
  • Verify multiple configurations (with OWTF).
  • For now, run everything inside the secutils.js file in a global context instead of fetching specific tab IDs.
  • Figure out a clear work plan to progress further.
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Automation/Winter_Of_Security_2016/Ringleader_Support_for_e10s&oldid=1155741"