User:Dmose:Protocol Handler Security Review: Difference between revisions

User:Dmose:Protocol Handler Security Review (view source)

53 bytes added , 31 October 2007

Confirmed users

2,615

edits

@@ Line 44: / Line 44: @@
 * What security issues do you address in your project?
 * Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
 ** mime-types.rdf corruption / missing
+*** will use reasonable defaults
 ** application pref file (firefox.js or equivalent) missing
+*** blacklist gone; security holes opened;
+    but if firefox.js is gone, you've already lost
 ** user prefs.js missing
 * Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
 ** Assumptions
@@ Line 55: / Line 56: @@
 ** Potential Risks
 *** Phishy? (Encourages in-browser auth?)
-**** trains user
 **** not notably worse than current situation
-**** need to try not to break future identity/auth mitigations
+**** should avoid breaking identity/auth mitigations
-**** same window/tab or different window/tab?
 *** The HTML5 spec has a [http://www.whatwg.org/specs/web-apps/current-work/#security3 list of possible security issues] that should be gone through
 *** register{Content,Protocol}Handler need to use checkLoadURI ({{bug|401343}})