Security/Reviews/Gaia/InterAppCommunicationAPI: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Gaia/InterAppCommunicationAPI (view source)

Revision as of 21:14, 31 January 2014

818 bytes removed ,  31 January 2014
→‎XSS & HTML Injection Attacks
Line 102: Line 102:
=== Gaia ===
=== Gaia ===
==== XSS & HTML Injection Attacks ====
==== XSS & HTML Injection Attacks ====
User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. [https://bugzilla.mozilla.org/show_bug.cgi?id=960749 960749] prevented us from being able to completely check for HTML injections. (See Future Work below)
TBD
 
Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.
 
Characters ',",>, \, & and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu.


==== Secure Communications ====
==== Secure Communications ====
Rfletcher
Confirmed users
353

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/912279"

Navigation menu