canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/Firefox6/ReviewNotes/WebSockets: Difference between revisions
Jump to navigation
Jump to search
Security/Reviews/Firefox6/ReviewNotes/WebSockets (view source)
Revision as of 23:58, 14 June 2011
, 14 June 2011→Threats
| Line 56: | Line 56: | ||
| Client browser | | Client browser | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | Patrick confirmed that the context should hold | ||
|- | |- | ||
| Mixed content {{bug|662692}} | | Mixed content {{bug|662692}} | ||
| Line 62: | Line 62: | ||
| Client browser | | Client browser | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | Bug filed, should not delay shipping in FX6, team is aware and dealing with the issue | ||
|- | |- | ||
| CSP support | | CSP support | ||
| Line 68: | Line 68: | ||
| Client browser | | Client browser | ||
| Browser feature consistency | | Browser feature consistency | ||
| bsterne looking into proposal to extend CSP to support websockets src/origin along with other features | | | ||
# bsterne looking into proposal to extend CSP to support websockets src/origin along with other features | |||
# if only default policy this is nonideal as other browsers may ignore this (Chrome would let this through in its current incarnation) | |||
# [bsmith] bug: to not use default policy | |||
|- | |- | ||
| HSTS support {{bug|664284}} | | HSTS support {{bug|664284}} | ||
| Line 74: | Line 77: | ||
| Client browser | | Client browser | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | | ||
# Tests should be written for this | |||
# Fix what tests show does not work | |||
|- | |- | ||
| IFrame origin handling {{bug|664301}} | | IFrame origin handling {{bug|664301}} | ||
| Line 81: | Line 86: | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | | ||
# Bug filed, however this may not be an issue discussion to continue via the bug | |||
|- | |- | ||
| Private browsing mode / session restore | | Private browsing mode / session restore | ||
| Line 87: | Line 93: | ||
| Browser feature consistency / Privacy | | Browser feature consistency / Privacy | ||
| | | | ||
# The connections are torn down and not reused | |||
|- | |- | ||
| CSRF / cookies | | CSRF / cookies | ||
| Line 93: | Line 100: | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | | ||
# Same base issue as {{bug|664031}} ? | |||
# Possible privacy issues as this is like CORS | |||
## Cookies in websockets are treated as 3rd party cookies all the time? -> Yes; {{bug|574897}} may be related and should be retested | |||
# Investigate both bugs and address | |||
|- | |- | ||
| Fragmented frames | | Fragmented frames | ||
| Line 99: | Line 110: | ||
| Input validation | | Input validation | ||
| | | | ||
# Need to decide how frames will be parsed | |||
# Test needed for this behavior | |||
# [christoph] fuzzing server? --> [imelven]file a bug for this (non frag frame where we expect a frag frame) | |||
|- | |- | ||
| Frame handling | | Frame handling | ||
| Line 105: | Line 119: | ||
| Input validation | | Input validation | ||
| | | | ||
# See above ^^ | |||
|- | |- | ||
| SSL/TLS | | SSL/TLS | ||
| Line 111: | Line 126: | ||
| Cryptography | | Cryptography | ||
| | | | ||
# [bsmith] bug: that will block un-prefixing, this is OK to go for now | |||
|- | |- | ||
| Connection redirects | | Connection redirects | ||
| Line 117: | Line 133: | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | | ||
# Currently redirects are not done, the user can turn this on | |||
# This may need re-evaluation this at the next version | |||
# API to explicitly allow | |||
# [dchan] bug: to track and work this | |||
|- | |- | ||
| Proxies | | Proxies | ||
| Line 123: | Line 143: | ||
| Input validation / Cryptography / Browser feature consistency | | Input validation / Cryptography / Browser feature consistency | ||
| | | | ||
# This is already fixed and not an issue | |||
# Should there be a specific webproxy proxy? --> the spec does mandate some proxy behavior, but the spec is silent currently on a specific proxy, we could pursue one if we find a reason to later | |||
|- | |- | ||
| Cross-origin requests | | Cross-origin requests | ||
| Line 129: | Line 151: | ||
| Denial of service / Browser feature consistency | | Denial of service / Browser feature consistency | ||
| | | | ||
# issue is moot given other items | |||
|- | |- | ||
| Callback manipulation | | Callback manipulation | ||
| Line 135: | Line 158: | ||
| Input validation | | Input validation | ||
| | | | ||
# DOM handling of websockets | |||
# JS does not do partial messages, so its not an issue | |||
# message instead of stream API | |||
|- | |- | ||
| Datatype manipulation | | Datatype manipulation | ||
| Line 141: | Line 167: | ||
| Input validation | | Input validation | ||
| | | | ||
# see above ^^ | |||
|- | |- | ||
| Default settings | | Default settings | ||
| Line 147: | Line 174: | ||
| Browser feature consistency / Privacy | | Browser feature consistency / Privacy | ||
| | | | ||
# List of prefs set by websockets --> about:config websockets | |||
# [dchan] bug: for MDN article assign to sherry keyword:devdocneeded | |||
# [dchan] bug: add-on prefs to verifier for dangerous prefs | |||
|- | |- | ||
| Chrome privileges | | Chrome privileges | ||
| Line 153: | Line 183: | ||
| Browser feature consistency | | Browser feature consistency | ||
| | | | ||
# non-issue | |||
|- | |- | ||
| Resource starvation {{bug|664305}} | | Resource starvation {{bug|664305}} | ||
| Line 159: | Line 190: | ||
| Denial of service | | Denial of service | ||
| | | | ||
# bug already filed for this, likely not an issue | |||
|} | |} | ||