Security/Reviews/ActionItems
SecReview Name | Action Item Status | Target Rel | Action Items |
B2G Device Storage | In Progress | ` | * Who :: What :: By when
pault: check cjones around sizes/dos risks/paths/partitions dougt**Investigate file blob -> File handle patch** dougt & Djf ** Further investigate permission granularity/implementation** adamm::file bug that isSafePath checks for "." and ".." paths, "..." would get by
|
Identity KPI Backend | In Progress | ` | * code review of JS (when ready)
|
Kuma 2.0 | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
|
Android Service Based Installer | In Progress | ` | |
Audio Recording - Web API & Implementation | In Progress | ` | - Pauljt::determine the threat model for WebRTC::
- Cdiehl::fuzz this API - Pauljt::Tainting audio/video elements with cross-origin audio data, so that this API fails in such cases. (ie web page should not be able to access the contents of cross-origin resources) |
Autoland | In Progress | ` | * autolander and patch review must not be the same person
|
Automated/Assisted landing from Bugzilla to tip of $branch | In Progress | ` | |
B2G AppUpdates | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
--> [jsmith] Just tested, no UI shown, update is automatically applied
|
B2G Browser | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
|
B2G Updates | In Progress | ` | bbondy::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::https://bugzilla.mozilla.org/show_bug.cgi?id=801855 Resolved pauljt:: Fuzz mar format::804046 Resolved |
B2G Web Activities | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
pauljt::Revisit spoofing when doing security testing of web activities:: Post Implementation pauljt::ensure registered URL is restricted to same origin based on principal fabrice::Restrict handling sensitive activities (sms, others?) to trusted or certified apps. |
Balrog | In Progress | Q2 goal for live in nightly channel | * bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
|
Identity Project BigTent | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
|
Profile feature of Mozilla Persona/BrowserID | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
|
Browser ID Sync Integration | In Progress | ` | |
Campaign management / product announcements for Firefox for Android | In Progress | ` | * Snippet poll must be over SSL - let's make sure. |
Chicago Summer of Learning Website (incl. aestimia and openbadger) | In Progress | ` | * chris :: add persona-auth to demo/ :: xx |
Click to Play Plugins | In Progress | ` | *Keeler::ability to differentiate plugins in persisted permissions :: https://bugzilla.mozilla.org/show_bug.cgi?id=746374 ::FF19?
|
Developer tools: Debugger | In Progress | ` | |
Fennec Private Browsing | In Progress | ` | |
GCLI | In Progress | ` | |
Geolocation WebAPI | In Progress | ` | |
Implement new IDN Unicode display algorithm | In Progress | ` | |
In App Payment | In Progress | ` | |
Add --marionette CLI to enable Marionette on all Firefox builds | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
|
Metrics Data ping | In Progress | Firefox 12 | |
Extend Pointer Lock (Mouse Lock) for non-fullscreen elements | In Progress | ` | * Can we make sure that Esc (and cursor keys) cannot be used as a "user-triggered event handler" for the purpose of opening popups etc? Or maybe only a whitelist of keycodes / charcodes (space, enter, printable characters) https://bugzilla.mozilla.org/show_bug.cgi?id=748198
|
Network Monitor | In Progress | ` | |
Notificaitons Backend | In Progress | ` | |
Packaged Apps: Signing & Revocation | In Progress | ` | * Our app "revocation" seems to depend on the app coming from the marketplace (not simply being signed by the marketplace). Nothing at the moment seems to stop a web-site from installing a copy of a marketplace-signed privileged app. (is that a problem?)
|
Persona Realms SSO | In Progress | ` | * technical privacy review
|
Plugin Overlay API | In Progress | ` | |
Security/Reviews/Push API | In Progress | B2G Basecamp | ` |
Reader Mode | In Progress | ` | |
Release Kickof System | In Progress | ` | |
Create API for content to keep the screensaver from turning on (or to prevent phone/tablet's screen from turning off) | In Progress | ` | |
Settings API | In Progress | ` | |
Simple Push API | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
pauljt pauljt::Web App Test of Server Component:: when we can. pauljt::Web App Test of Telefonica Component:: ASAP Jlebar::Review notification telefonica server:: ASAP |
Firefox/SocialAPI/ | In Progress | ` | |
Expose a client TCP socket/UDP datagram API to web applications | In Progress | ` | |
Web Bluetooth | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
dchan - gonk update strategy for bluetooth, camera, etc dchan - looking into dbus testing tools that ChromeOS uses |
WebRT | In Progress | ` | |
WebSMS | In Progress | ` | |
Web Telephony | In Progress | ` | |
Windows 8 Metro Firefox | In Progress | ` | |
EsFrontLine | In Progress | ` | * Stefan :: test the search filtering (http://klahnakoski-es.corp.tor1.mozilla.com:9292/):: ??
|
Private Elastic Search | In Progress | ` | * add "this is private" indicator
|
Navigator.pay | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
pauljt:: Review trusted modal dialog js ::asap |
Token Server Client & Java BrowserID crypto library for Android services projects | In Progress | ` | nalexander :: try to find diagram showing token flows through servers and clients for dchan :: Friday, 22 November
dchan :: reach out to platform / fxos teams for their implementations of this dance :: Friday, 22 November yvan :: schedule Fx Accounts sec-review for protocol :: Friday 22, November |
IM in ThunderBird | In Progress | Thunderbird 13 | ... further results |