Security/Reviews/Firefox4/Jetpack Modules Security Review: Difference between revisions
Jump to navigation
Jump to search
| Line 21: | Line 21: | ||
= Review comments = | = Review comments = | ||
* post-review determination of things that require deeper review, from consultants, or SME. | |||
* get a wrappers person to review the sandboxing code | |||
* validate url loading (widget, panel, anything else?): about:, data:, javascript:, chrome:, ftp:, file:, something spawns external helpers. | |||
Latest revision as of 15:35, 3 January 2011
Security Review Pre-Work
Email sent to security@.
Overview
Jetpack modules provide an XPCOM- and XUL-less API to commonly used browser functionality.
- Background links
- Module list: https://wiki.mozilla.org/Labs/Jetpack/SDK/APIs
- Documentation: https://jetpack.mozillalabs.com/sdk/1.0b1/docs/
- Some thoughts from Brian: https://people.mozilla.com/~bwarner/jetpack/components/
Threats
Please list the top 3 security threats you have considered during the design and implementation of this feature. Consider attack points as well as code that feels fragile.
The Jetpack module APIs build on top of pre-existing browser APIs.
What mitigations have you implemented?
Topics To Discuss During The Review
Please be prepared to discuss the topics listed at ReviewTopics as they relate to your feature / project. Optionally, you may copy the most relevant questions here and answer them before the review, which could speed up the review meeting.
Review comments
- post-review determination of things that require deeper review, from consultants, or SME.
- get a wrappers person to review the sandboxing code
- validate url loading (widget, panel, anything else?): about:, data:, javascript:, chrome:, ftp:, file:, something spawns external helpers.