Security/Reviews/F1 (round 3)
From MozillaWiki
September 26, 2011
addition data in privacy review: https://wiki.mozilla.org/Privacy/Reviews/F1A
alpha plan: https://wiki.mozilla.org/Labs/F1/AlphaPlan
- SMTP Threats
- Some addons might be tempted to use this addon to SPAM
- How much of the UI/implementation is dynamically loaded over the network?
- There is no remotely-loaded content in the Alpha release, resources are loaded from the add on itself into sub-Iframes
- In future releases, some parts of the UI will be dynamically loaded, e.g. icons for service providers?
- Thumbnails
- Page screenshot thumbnail code has been removed for this alpha release
- Follow-up Things
- Review for Injection attacks --> bsterne to file bug
- Data from content is being shared, but it isn't shared *by* content
- Content can influence what data is pre-filled using OGP tags, makes it easier to mount injection attacks if there are any vulnerabilities
- Fuzz testing?
- SMTP code: https://github.com/mozilla/fx-share-addon/tree/feature/gmail/lib/email
- Need to check SMTP code against injection attacks / proper escaping
- Make sure that the JetPack panel (used for preview) uses type="content" - verified, type is content.
- Share preview addon with secteam@mozilla.com
- Come up with a way to sign this addon (not necessary for alpha release)
- Review for Injection attacks --> bsterne to file bug
- Pages cannot trigger the sharing process in this alpha release
page scraping: https://github.com/mozilla/fx-share-addon/blob/feature/gmail/lib/panel.js#L271