Security/Reviews/Firefox4/Update Billboard Security Review
- Increase the size of the billboard.
- Prevent showing the billboard when the billboard is not available.
- Billboard should extend to available space and the update UI should be the same width for all locales (bug 480178)
- Billboard should handle 404 (other errors?) for billboard better (bug 548061)
Please list the top 3 security threats you have considered during the design and implementation of this feature. Consider attack points as well as code that feels fragile.
None that I can think of. The only change that involves remote content is a hasAttribute check on the billboard's html body.
What mitigations have you implemented?
Topics To Discuss During The Review
Please be prepared to discuss the topics listed at ReviewTopics as they relate to your feature / project. Optionally, you may copy the most relevant questions here and answer them before the review, which could speed up the review meeting.
hasAttribute is used to check for the existence of an attribute on the body of the remote html used for the billboard. My understanding is that this is safe and Mr BKap confirmed this. When the attribute doesn't exist (e.g. connection requires authentication, etc.) then the non-billboard update ui is displayed.