canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/Shumway: Difference between revisions
no edit summary
(Created page with "{{SecReviewInfo |SecReview name=Shumway SWF Player |SecReview target=<bugzilla>
{
"id":"780311"
}
</bugzilla> }} {{SecReview}} {{SecReviewActionStatus |SecReview action item ...") |
No edit summary |
||
| Line 7: | Line 7: | ||
</bugzilla> | </bugzilla> | ||
}} | }} | ||
{{SecReview}} | {{SecReview | ||
|SecReview feature goal=* The Shumway engine allows flash content to be rendered | |||
* currently in a work week with 2 goals to implement | |||
** video play for h264 video, aac audio, flv container | |||
** mobile game | |||
|SecReview solution chosen=* avoid current issues with other players | |||
|SecReview threat brainstorming=* use firefox security model over flash security model | |||
** this is what they are working towards | |||
** the issue here is that we need to remain consistent with the flash player security model | |||
** or explicitly decide that we are going to violate the security assumptions of the author of the SWF | |||
* we will want to look into how CheckLoadURI interacts with shumway | |||
** Current plugins (incl. Flash) try most of their normal web loads through the browser (NPAPI) to take advantage of proxy settings, etc. | |||
** ALL of those calls ARE checked against nsIContentPolicy using the load type TYPE_OBJECT_SUBREQUEST | |||
* SWF is loaded via rsrc:// | |||
* only API's exposed right now are drawing API's - other API's will throw errors | |||
}} | |||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status=None | |SecReview action item status=None | ||
}} | }} | ||