Firefox 3.6/AboutSupport Security Review: Difference between revisions

Firefox 3.6/AboutSupport Security Review (view source)

803 bytes added , 16 October 2009

213

edits

@@ Line 20: / Line 20: @@
 == Security and Privacy ==
 * Is this feature a security feature?  If it is, what security issues is it intended to resolve?
+** ''This feature is not a security feature.''
 * What potential security issues in your feature have you already considered and addressed?
+** ''We no longer show the profile directory pathe in the page.  We have also introduced a preferences whitelist so we only display prefs that are useful and don't pose a serious risk to the user's privacy.''
 * Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
+** ''Missing prefs would actually reduce the risk posed by this feature.  A hacked whitelist could pose some interesting implications, but if an attacker can hack the whitelist, they can probably do far more direct damage.''
 * Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
+** ''This feature has fairly serious privacy implications.  The contents of the about:support page could get pasted into publicly accessible and searchable Internet content, such as support forums.  Each piece of information displayed in the page needs to be evaluated for privacy implications.''
 * How are transitions in/out of Private Browsing mode handled?
+** ''Shouldn't matter.''
 == Exported APIs ==