MozillaWiki

Security/Reviews/Win8 Metro Firefox: Difference between revisions

Page Discussion

Security/Reviews/Win8 Metro Firefox (view source)

Revision as of 21:43, 10 January 2013

156 bytes removed ,  10 January 2013
no edit summary
No edit summary
No edit summary
Line 1: Line 1:
{{SecReviewInfo
{{SecReviewInfo
|SecReview name=Windows 8 Metro Firefox
|SecReview name=Windows 8 Metro Firefox
|SecReview target=https://bugzilla.mozilla.org/show_bug.cgi?id=744928  
|SecReview target=<bugzilla>
https://bugzilla.mozilla.org/show_bug.cgi?id=771271  
{
https://bugzilla.mozilla.org/show_bug.cgi?id=762344
"id":"744928,771271,762344,747347"
https://bugzilla.mozilla.org/show_bug.cgi?id=747347
}
</bugzilla>
https://wiki.mozilla.org/Firefox/Windows_8_Integration
https://wiki.mozilla.org/Firefox/Windows_8_Integration
https://wiki.mozilla.org/Firefox/Metro
https://wiki.mozilla.org/Firefox/Metro
Line 46: Line 47:
The user can switch tabs without the URL bar showing.
The user can switch tabs without the URL bar showing.
Questions for security:
Questions for security:
1. Are there any times that a URL bar should be shown?
# Are there any times that a URL bar should be shown?
2. We don't currently have a lock icon or other indication that the user is on a secure site.  This is not yet implemented but there is a bug posted for it.  Is this a blocker for landing anywhere?
# We don't currently have a lock icon or other indication that the user is on a secure site.  This is not yet implemented but there is a bug posted for it.  Is this a blocker for landing anywhere?
3. We don't currently have a notification that the user is on a partially secure site. Same questions.
# We don't currently have a notification that the user is on a partially secure site. Same questions.
4. We don't currently display certificate information about a secure site
# We don't currently display certificate information about a secure site
5. Is there any places that you think the URL bar should be shown that I haven't mentioned (and possibly forgot to mention)?
# Is there any places that you think the URL bar should be shown that I haven't mentioned (and possibly forgot to mention)?
6. Is it a concern that a malicious page could be designed to look like our URL bar and fake the user visiting different sites? Is there any way to prevent that?
# Is it a concern that a malicious page could be designed to look like our URL bar and fake the user visiting different sites? Is there any way to prevent that?
|SecReview threat brainstorming=* creating a window (if an attacker can somehow do it) might end up creating a window on the desktop (not in the Metro view) - we might create a widget but Metro will stop a Win32 window from showing up (IIUC)
|SecReview threat brainstorming=* creating a window (if an attacker can somehow do it) might end up creating a window on the desktop (not in the Metro view) - we might create a widget but Metro will stop a Win32 window from showing up (IIUC)
* exploiting Metro process would lead to accessing WinRT APIs as well as win32 APIs, but WinRt APIs are usually more restricted than win32 apis anyways
* exploiting Metro process would lead to accessing WinRT APIs as well as win32 APIs, but WinRt APIs are usually more restricted than win32 apis anyways
Line 68: Line 69:
* dev team:: telemetry data on who is turning on prefs for addons/extenions
* dev team:: telemetry data on who is turning on prefs for addons/extenions
* dev team:: review exthandler code
* dev team:: review exthandler code
}}
}}
Curtisk
canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/498647"