Security/Reviews/B2G/DownloadManager/Security/Reviews/B2G/WebNFC

Interfaces with other Apps/Content

The Download Manager API is used within the System and Settings applications only - there are no web activities or other functionality which expose the downloads functionality.

XSS & HTML Injection Attacks

User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. Furthermore, code review of Gaia code revealed that download names are displayed back to the user via the existing Notifications code, which use safe practices (.textContent exclusively) for rendering notification details.