Security/Reviews/Firefox4/Jetpack Modules Security Review: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "= Security Review Pre-Work = ''Please fill our the short section below prior to the review, and make sure you contact security@mozilla.org to schedule your actual review.'' == O...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
= Security Review Pre-Work =
= Security Review Pre-Work =
''Please fill our the short section below prior to the review, and make sure you contact security@mozilla.org to schedule your actual review.''
Email sent to security@.


== Overview ==
== Overview ==
''Describe the goals and objectives of the feature here. What needs or problems does it address?''
Jetpack modules provide an XPCOM- and XUL-less API to commonly used browser functionality.


;Background links
;Background links
* feature-tracking bug links
* Module list: https://wiki.mozilla.org/Labs/Jetpack/SDK/APIs
* public specifications (RFC's, W3C specs, IETF Drafts, etc)
* Documentation: https://jetpack.mozillalabs.com/sdk/1.0b1/docs/
* design docs or internal specifications
* Some thoughts from Brian: https://people.mozilla.com/~bwarner/jetpack/components/
* data flow or entity relation diagrams
* links to other implementations of the feature


== Threats ==
== Threats ==
''Please list the top 3 security threats you have considered during the design and implementation of this feature.'' Consider attack points as well as code that feels fragile.
''Please list the top 3 security threats you have considered during the design and implementation of this feature.'' Consider attack points as well as code that feels fragile.


* Threat 1
The Jetpack module APIs build on top of pre-existing browser APIs.
* Threat 2
* Threat 3


What mitigations have you implemented?
What mitigations have you implemented?
Line 25: Line 21:


= Review comments =
= Review comments =
''Notes and bug numbers will be recorded here. Let's try not to spend too much time on any one topic during the meeting.''
 
* post-review determination of things that require deeper review, from consultants, or SME.
* get a wrappers person to review the sandboxing code
* validate url loading (widget, panel, anything else?): about:, data:, javascript:, chrome:, ftp:, file:, something spawns external helpers.

Latest revision as of 15:35, 3 January 2011

Security Review Pre-Work

Email sent to security@.

Overview

Jetpack modules provide an XPCOM- and XUL-less API to commonly used browser functionality.

Background links

Threats

Please list the top 3 security threats you have considered during the design and implementation of this feature. Consider attack points as well as code that feels fragile.

The Jetpack module APIs build on top of pre-existing browser APIs.

What mitigations have you implemented?

Topics To Discuss During The Review

Please be prepared to discuss the topics listed at ReviewTopics as they relate to your feature / project. Optionally, you may copy the most relevant questions here and answer them before the review, which could speed up the review meeting.

Review comments

  • post-review determination of things that require deeper review, from consultants, or SME.
  • get a wrappers person to review the sandboxing code
  • validate url loading (widget, panel, anything else?): about:, data:, javascript:, chrome:, ftp:, file:, something spawns external helpers.
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/Firefox4/Jetpack_Modules_Security_Review&oldid=275324"