canmove, Confirmed users
640
edits
Security/Reviews/Firefox4/Desktop Notifications Security Review: Difference between revisions
Jump to navigation
Jump to search
Security/Reviews/Firefox4/Desktop Notifications Security Review (view source)
Revision as of 22:35, 18 October 2010
, 18 October 2010→Review comments
| Line 49: | Line 49: | ||
** sometimes we load and create the image | ** sometimes we load and create the image | ||
** sometimes we pass the URL | ** sometimes we pass the URL | ||
** | ** best to restrict to http/https, definitely a whitelist of some sort | ||
*** if data: is allowed create as <IMG> | *** if data: is allowed create as <IMG> | ||
*** filed {{bug|xxxxx}} | |||
* sites can send a different image with each request? | * sites can send a different image with each request? | ||
** lots of spoofing possibilities | ** lots of spoofing possibilities | ||
| Line 64: | Line 65: | ||
*** Android notifications always use the Fennec icon | *** Android notifications always use the Fennec icon | ||
** Fixed text pattern? (e.g. "Tweet from *") | ** Fixed text pattern? (e.g. "Tweet from *") | ||
* how do you cancel permission for an overly-talkative (or even abusive) site? | |||
* need a global off switch (presentation mode?) | |||
* in Private Browsing mode doesn't save settings | |||