Search by property

Jump to: navigation, search

This page provides a simple browsing interface for finding entities described by a property and a named value. Other available search interfaces include the page property search, and the ask query builder.

Search by property

A list of all pages that have property "SecReview action items" with value " * Snippet poll must be over SSL - let's make sure. ". Since there have been only a few results, also nearby values are displayed.

Showing below up to 48 results starting with #1.

View (previous 50 | next 50) (20 | 50 | 100 | 250 | 500)


    

List of results

    • Security/Reviews/esFrontline  + ( * Stefan :: test the search filtering (ht
      * Stefan :: test the search filtering (http://klahnakoski-es.corp.tor1.mozilla.com:9292/):: ?? * mgodwin :: investigate if there's been progress on sandboxing ES * Kyle :: look at dynamic script options * Kyle :: add bug to disable MVEL https://bugzilla.mozilla.org/show_bug.cgi?id=943087 * jeff :: ensure logs from this end up in the bunker ES cluster
      s from this end up in the bunker ES cluster )
    • Security/AppsProject/B2GDeviceStorage  + ( * Who :: What :: By when pault: check cjo
      * Who :: What :: By when pault: check cjones around sizes/dos risks/paths/partitions dougt**Investigate file blob -> File handle patch** dougt & Djf ** Further investigate permission granularity/implementation** adamm::file bug that isSafePath checks for "." and ".." paths, "..." would get by **Other patterns that have historically caused abuse are in https://code.google.com/p/fuzzdb/source/browse/trunk/attack-payloads/path-traversal/traversals-8-deep-exotic-encoding.txt (ignore %encoded ones in this context) dougt:: fix [https://bugzilla.mozilla.org/show_bug.cgi?id=xxx bug xxx] filed by adamm above
      /show_bug.cgi?id=xxx bug xxx] filed by adamm above )
    • Security/Reviews/navigator.pay  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) pauljt:: Review trusted modal dialog js ::asap
      dchan:: Investigate marketplace JWT generation code (have to review at the spec level, app servers can generate tokens as well)
      pauljt :: Prevent navigator.pay from the background:: [https://bugzilla.mozilla.org/show_bug.cgi?id=776417 Bug raised]
      bugzilla.mozilla.org/show_bug.cgi?id=776417 Bug raised] )
    • Security/Reviews/BrowserIDProfiles  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug) * Yvan Boily :: code review :: before launch * identity team :: What are each of the milestones, how can these steps be broken down, specify when there is an increase in data collected.
      hen there is an increase in data collected. )
    • Security/Reviews/SimplePush  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) pauljt pauljt::Web App Test of Server Component:: when we can. pauljt::Web App Test of Telefonica Component:: ASAP Jlebar::Review notification telefonica server:: ASAP
      eview notification telefonica server:: ASAP )
    • Security/Reviews/B2GWebActivities  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) pauljt::Revisit spoofing when doing security testing of web activities:: Post Implementation pauljt::ensure registered URL is restricted to same origin based on principal fabrice::Restrict handling sensitive activities (sms, others?) to trusted or certified apps.
      sms, others?) to trusted or certified apps. )
    • Security/Reviews/B2GBrowser  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) * pauljt :: List of the required UI for URL Bar (SSL indicators etc?) :: by Aurora * pauljt :: Security testing of Browser API :: before beta completion
      ng of Browser API :: before beta completion )
    • Security/Reviews/TogetherJS  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) * TogetherJS Team :: add a warning to not provide sensiteve information (can go FAQ?):: https://github.com/mozilla/togetherjs/issues/848 https://github.com/mozilla/togetherjs/issues/840 (at least the user identity part) * TogetherJS Team :: offsite navigation (not allow by default, whitelist for allowable) :: https://github.com/mozilla/togetherjs/issues/847
      ://github.com/mozilla/togetherjs/issues/847 )
    • Security/Reviews/MarionetteCLIAll  + ( * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) * Marionette Team :: reopen and address 741812 for AMO :: before enabling in optimize builds )
    • Security/Reviews/BigTent  + ( * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) * [dchan] - Contact ozten and team about testing environment by EOD 08/20 )
    • Security/Reviews/WebBluetooth  + ( * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) dchan - gonk update strategy for bluetooth, camera, etc dchan - looking into dbus testing tools that ChromeOS uses )
    • Security/Reviews/B2GAppUpdates  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug) ** Confirm the update UI for pure hosted apps (ie no appcacheache) --> [jsmith] Just tested, no UI shown, update is automatically applied ** Storage permission could be granted by MITM to a hosted app not using SSL. This grants unlimited storage, so the MITM could then try to fill up the disk. ** Add UI the source of the app (install and app info section, under permission) --> install prompt bug might be https://bugzilla.mozilla.org/show_bug.cgi?id=827562
      tps://bugzilla.mozilla.org/show_bug.cgi?id=827562 )
    • Security/Kuma2  + ( * Who :: What :: By when (Keep in mind al
      * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug) * adamm :: reveiw list of bleached whitelist items :: before launch * adamm :: Diagram overall architecture, build high-level architecture :: asap ** Identify existing areas of known tech debt :: asap ** adamm :: Review architecture, identify areas of architectural risk :: asap * adamm :: Identify defensive approaches defined by the project for handling expected types of bugs (injection, output encoding, csrf, etc) :: asap ** code-review areas identified as high-risk * adamm :: Identify areas of techical risk which warrant code review * adamm :: Black-box test of staging environment
      mm :: Black-box test of staging environment )
    • SocialAPIMultiProvider  + ( * [dchan] - Follow up with clouserw on or
      * [dchan] - Follow up with clouserw on origin verification process for AMO / marketplace directory provided manifests - I dont think that he has even begun thinking about social support at all yet * [dchan] - Look into about:socialerror chrome privileges and file bug if needed * [psiinon] Test to make sure only script accessible cookies will be available to providers * [psinnon] http/https discussion * [psiinon] Investigate collecting FHR metrics inc http/https
      igate collecting FHR metrics inc http/https )
    • Security/Reviews/testreview  + ( * [who]<>does what<>by when<>completed date <table border="1"> <tr> <td>Who</td> <td>Action</td> <td>By When</td> <td>Completed date</td> </tr> </table> )
    • Security/Reviews/esPrivate  + ( * add "this is private" indicator * remove legal, hr, finance, confidential (and more?) * verify if legal product dominates all the confidential bugs )
    • Security/Reviews/Autoland  + ( * autolander and patch review must not be
      * autolander and patch review must not be the same person * individuals in the autoland group must be educated to respect sec-approval needs (security team to educate sheriffs and release management folks). * bug commit message and bug number must match (people fat finger this, or attackers could try to confuse us as to where a patch came from)
      o confuse us as to where a patch came from) )
    • Security/Reviews/Balrog  + ( * bhearsum :: Are MAR signatures checked
      * bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms * releng :: whitelisting URLs that we point to * releng :: notifications upon human addition (maybe change too?) of a release * bhearsum :: db dump w/ instructions on how to use * psiinon :: pentest admin UI
      on how to use * psiinon :: pentest admin UI )
    • Security/Reviews/ChicagoSummerLearning  + ( * chris :: add persona-auth to demo/ :: xx )
    • Security/AppsProject/IdentityKPIBackend  + ( * code review of JS (when ready) * code review of WebService API (when ready) )
    • Security/Reviews/Accounts Sync  + ( * grant jeff (jbryner@mozilla.com) and ul
      * grant jeff (jbryner@mozilla.com) and ulfr (jvehent@mozilla.com) access to 'fraud and abuse' etherpad mentioned in the wiki: https://id.etherpad.mozilla.org/fxacct-metrics-fraud-detection * Schedule Op meeting for fxa * Schedule auth-server discussion with dcoates ** Schedule reviews for auth / cloud, desktop, fxos, android, attached services (end of q1 target) Fraud and abuse meta issue: https://github.com/mozilla/fxa-auth-server/issues/222 ==OPSEC== Threat mapping What would you say are the 2-3 security/intrusion scenarios we should focus on How would you like to respond to those scenarios: --Contain and clear an intrusion --Detect and Deter active attempts --Pursue and Prosecute attackers --(Combination of any/all of the above)
      --(Combination of any/all of the above) )
    • Security/Reviews/PersonaRealms  + ( * technical privacy review * privacy review * server for test environment )
    • Security/Reviews/bug588270  + ( * user study on how users percieve the UI in this model (future, not for this bug/review) -- does this UI change alter how they perceive the security of a site )
    • Security/Reviews/ClickToPlay  + ( *Keeler::ability to differentiate plugins
      *Keeler::ability to differentiate plugins in persisted permissions :: https://bugzilla.mozilla.org/show_bug.cgi?id=746374 ::FF19? *Keeler::differentiate regular click-to-play permissions from blocklisted click-to-play permissions::before regular click-to-play gets its own UI to enable it
      click-to-play gets its own UI to enable it )
    • Security/Reviews/Audio Recording - Web API  + (- Pauljt::determine the threat model for W
      - Pauljt::determine the threat model for WebRTC:: - Cdiehl::fuzz this API - Pauljt::Tainting audio/video elements with cross-origin audio data, so that this API fails in such cases. (ie web page should not be able to access the contents of cross-origin resources)
      ss the contents of cross-origin resources))
    • Security/Reviews/BZBrowserID  + (<table border="1"> <tr> <t
      Who Action By When Completed date [NEW] new [DONE] Done [MISSED] Miss
      Gerv Update code to check for absence of "nobrowserid" group [DONE] Done (http://bzr.mozilla.org/bugzilla/extensions/browserid/trunk/revision/8)
      Gerv File bug on full verifier support (non blocker) [DONE] Done - [https://bugzilla.mozilla.org/show_bug.cgi?id=737480 bug 737480]
      Gerv At appropriate moment, rename any UI elements to new branding [http://identity.mozilla.com/post/18038609895/introducing-mozilla-persona not needed]
      Gerv Create nobrowserid group and put relevant groups in it - all security, HR, legal [DONE] Done
      <td>[http://identity.mozilla.com/post/18038609895/introducing-mozilla-persona not needed]</td> </tr> <tr> <td>Gerv</td> <td>Create nobrowserid group and put relevant groups in it - all security, HR, legal </td> <td> </td> <td><span style="color: green; font-size: 80%; font-weight: bold">[DONE]</span> Done</td> </tr> </table>)
    • Security/Reviews/Marionette  + (<table border="1"> <tr> <td
      WhoActionBy WhenCompleted date [NEW] new [DONE] Done [MISSED] Miss
      marionette team [https://bugzilla.mozilla.org/show_bug.cgi?id=741812 bug 741812]add verificaiton checking for AMO reivewersbefore code migrates to aurora[DONE] 2012-04-03
      marionette team [https://bugzilla.mozilla.org/show_bug.cgi?id=741813 bug 741813]prevent the default startup pref so it cannot be changed by adding a pref listener, and can only be enabled in prefs.js before code migrates to aurora[DONE] complete 2012-02-15
      ot be changed by adding a pref listener, and can only be enabled in prefs.js </td><td>before code migrates to aurora</td><td><span style="color: green; font-size: 80%; font-weight: bold">[DONE]</span> complete 2012-02-15</td> </tr> </table>)
    • Security/Reviews/PerWindowPrivateBrowsing  + (<table border="1"> <tr> <td
      WhoActionBy WhenCompleted date
      jdm ehsan [https://bugzilla.mozilla.org/show_bug.cgi?id=740832 bug 740832] [https://bugzilla.mozilla.org/show_bug.cgi?id=729706 bug 729706]Do workers get the right load context for cookies?before code migrates to aurora[DONE] 2012.03.10
      ;<td>before code migrates to aurora</td><td><span style="color: green; font-size: 80%; font-weight: bold">[DONE]</span> 2012.03.10</td> </tr> </table>)
    • Security/Reviews/CleanUpUserProfile  + (<table border="1"> <tr> <td
      WhoActionBy WhenCompleted date
      mnoorenbergheFollowup - what's in the cert8.db? We won't be migrating those. '''It does include certificate additions and revocation of trust so it's safer IMO to not migrate since that is closest to our fresh install'''before code migrates to aurora[DONE] 2012.03.05
      mnoorenberghecheck on migration of DNT pref, master password '''we're not going to migrate any prefs. Master password is migrated properly: the pref UI is not tied to a pref.'''before code migrates to aurora[DONE] 2012.03.05
      '''For the other non-action items: Sync is being tracked in bug 725904. Bug 731047 tracks cleaning up the old profile.''' Not sure what the plan is for add-ons (plugins, extensions, themes). They would be disabled, but we might not migrate. Also questions on how that would work with sync. Is there anyway to get to the profile manager for someone who has no idea how to use the command line? How do other browsers handle this? Do they delete the old profile? * IE does not support profiles, if you reinstall it over-writes - They support irreversible [http://windows.microsoft.com/en-US/windows7/Reset-Internet-Explorer-settings-in-Internet-Explorer-9 reset in IE 9] though
      ndle this? Do they delete the old profile? * IE does not support profiles, if you reinstall it over-writes - They support irreversible [http://windows.microsoft.com/en-US/windows7/Reset-Internet-Explorer-settings-in-Internet-Explorer-9 reset in IE 9] though)
    • Security/Reviews/BackGroundUpdates  + (<table> <tr> <td>Who</td> <td>What</td> <td>By When</td> <td>completed Y/N</td> </tr> <tr> <td>imelven</td> <td>review wiki page</td> <td>13-Jan-2012</td> <td>y</td> </tr> </table>)
    • Security/Reviews/Telemetry Experiments r1  + (Who :: What :: By When * benjamin :: make call on cert pinning direction, talk to Camilo Viecco (cviecco) :: before shipping * benjamin :: file bug to annotate crash reporter if experiment is enabled)
    • Security/Reviews/WebActivities  + (`)
    • Security/AppsProject/LightningNightlyPHP  + (`)
    • Security/AppsProject/Element.mozRequestFullscreenWithKeys  + (`)
    • Security/Reviews/ModuleLoader  + (`)
    • Security/Reviews/Push API  + (`)
    • Security/Reviews/Shumway  + (`)
    • Security/Reviews/MobileJavaAddOns  + (`)
    • Security/Reviews/ExitFullScreenFocusChange  + (`)
    • MoPal  + (`)
    • Security/Reviews/B2G/mozapp  + (`)
    • Security/Reviews/SocialShare  + (`)
    • Security/Reviews/TelemetryServer  + (`)
    • Security/Reviews/SimplePushSrv  + (`)
    • Security/Reviews/APK Factory  + (`)
    • Security/Reviews/BZ Elastic Search  + (`)
    • Security/Reviews/TreeHerder  + (`)