Confirm
491
edits
Changes
→Cross Domain / Unintended User Actions
* If accepting raw XML then more robust validation is necessary. This can be complex. Please contact the [mailto:infrasec@mozilla.com infrastructure security team] for additional discussion
==Cross Domain / Unintended User Actions=='''Attacks of Concern''': Cross Site Request Forgery (CSRF), Malicious Framing (Clickjacking), 3rd Party Scripts, Insecure Interaction with 3rd party sites
===Preventing CSRF===
* Careful consideration should be used when using third party scripts. While I am sure everybody would do an initial review, updates to scripts should be reviewed with the same due diligence.
* Ensure any scripts that are used are hosted locally and not dynamically referenced from a third party site.
===Connecting with Twitter, Facebook, etc===
* If using OAuth make sure the entire chain of communication is over HTTPS. This includes the initial OAuth request and any URLs passed as parameters.
* If redirecting to a login page for the app itself, ensure that URL is HTTPS and also that the selected URL does not simply redirect to a HTTP version
* Ensure the "tweet this" or "like this" button does not generate a request to the 3rd party site simply by loading the Mozilla webpage the button is on (e.g. no requests to third party site without user's intent via clicking on the button)
==Secure Transmission==
