Firefox3.1/AboutSessionrestore Security Review: Difference between revisions

Jump to navigation Jump to search

Firefox3.1/AboutSessionrestore Security Review (view source)

Revision as of 17:09, 1 November 2008

6 bytes added ,  1 November 2008
m
no edit summary
(filled out review)
mNo edit summary
Line 12: Line 12:
** Wrongly configured prefs will break the SessionStore service as a whole. Shipped default preferences should prevent this from accidentally happening.
** Wrongly configured prefs will break the SessionStore service as a whole. Shipped default preferences should prevent this from accidentally happening.
* Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
* Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
** Web content *must* not be able to access about:sessionrestore, as this page contains potentially sensitive data (the whole session) and the possibility to load arbitrary URLs/cookies (needed to selectively restore the session). It is assumed that correctly implementing nsIAboutModule prevents this from happening.
** Web content '''must''' not be able to access about:sessionrestore, as this page contains potentially sensitive data (the whole session) and the possibility to load arbitrary URLs/cookies (needed to selectively restore the session). It is assumed that correctly implementing nsIAboutModule prevents this from happening.
* How are transitions in/out of Private Browsing mode handled?
* How are transitions in/out of Private Browsing mode handled?
** about:sessionrestore is displayed before the user could enter private browsing mode.
** about:sessionrestore is displayed before the user could enter private browsing mode.
Line 44: Line 44:
== Configuration ==
== Configuration ==
* Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
* Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
** The only added pref is *browser.sessionstore.max_resumed_crashes* (default value: 1) which determines after how many consecutive crashes about:sessionrestore is displayed (setting that value to -1 prevents the page from being displayed). Firefox in Safe Mode ignores this preference.
** The only added pref is ''browser.sessionstore.max_resumed_crashes'' (default value: 1) which determines after how many consecutive crashes about:sessionrestore is displayed (setting that value to -1 prevents the page from being displayed). Firefox in Safe Mode ignores this preference.
* Are there build options for developers? [#ifdefs, ac_add_options, etc.]
* Are there build options for developers? [#ifdefs, ac_add_options, etc.]
** No
** No
Zeniko
65

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/114862"

Navigation menu