canmove, Confirmed users
1,220
edits
Security/Reviews/Gaia/homescreen: Difference between revisions
Jump to navigation
Jump to search
Security/Reviews/Gaia/homescreen (view source)
Revision as of 03:59, 22 February 2013
, 22 February 2013→Web Activity Handlers
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) |
||
| Line 28: | Line 28: | ||
====Web Activity Handlers ==== | ====Web Activity Handlers ==== | ||
Other apps/pages can send a bookmark activity to the homescreen to request a url be bookmarked as an icon on the homescreen. | |||
The code for this handler is here: http://mxr.mozilla.org/gaia/source/apps/homescreen/js/save-bookmark.js | |||
The handler then calls BookmarkEditor.init(options), with options containing the data from the activity, which displays screen for the user to edit the bookmark before it is added. | |||
The user then chooses to save (or cancel) and the bookmarkurl is check to make sure it starts with http(s): | |||
<code> | |||
// Only allow http(s): urls to be bookmarked. | |||
if (/^https?:/.test(this.bookmarkUrl.value) == false) | |||
return; | |||
</code> | |||
The name or icon parameters are not sanitized at all, so there is a spoofing risk here. | |||
*Issue:setting iconable to true, and supplying an icon, results in a app pinned with no icon, and its not possible to remove these from the homescreen. | |||
(still investigating this) | |||
====Web Activity Usage ==== | ====Web Activity Usage ==== | ||