Privacy/Reviews/F1A
Document Overview
| Feature/Product: | Client-Based F1 |
| Projected Feature Freeze Date: | 1-Oct-2011 |
| Product Champions: | Shane Caraveo |
| Privacy Champions: | Sid Stamm |
| Security Contact: | Curtis Koenig |
| Document State: | [NEW] documenting |
Timeline:
| Architectural Overview: | (date TBD) |
| Recommendation Meeting: | (date TBD) |
| Wrap-up Meeting: | (if necessary) |
Architecture
In this section, the product's architecture is described. Any individual components or actors are identified, their "knowledge" or what data they store is identified, and data flow between components and external entities is described.
The main objective of this feature/product is: (describe the goals of the feature/product here)
Mozilla F1 is a simple and fast sharing service designed to enhance the sharing experience of the browser, Firefox, when sharing web sites.
This release, to be named Firefox Share (alpha), is being thought of as a Labs release of F1 and not ready for prime time releases. Our goal is to get an extension out that we can start getting UX feedback from users and start iterating quickly on features and UX.
The initial release will not be extensible, but we intend to follow up early Q4 with a version that supports extensibility via OpenWebApps services (such as the Status.net addon we have created). While we have not defined Q4 goals yet, it is probable that a beta release for a wider audience, with extensibility, will be in those goals. It is also highly possible that fx-share-addon will merge with the OWA jetpack.
Design Documents: Link to any design or architectural documents here.
Other Resources
- additional details may also be found in the Security/Reviews/F1_(round_2)
Components
Currently four jetpack based addons are bundled together, each will be described in deeper detail below, here is a high level outline:
- fx-share-addon
- share mediator based on top of OWA
- 3 built-in apps for twitter, facebook and gmail
- new smtp module for sending emails
- oauthorizer
- jetpack based addon that provides api's to use oauth 1 & 2
- required for built-in apps named above
- openwebapps jetpack addon
- fx-share-addon requires openwebapps to work
- addon-sdk fork
- for has patch from bug 675812 which fixes panel style for osx
openwebapps
OpenWebApps provides the ability for content to install an "app" which may also include a "services" component using the Web Activities APIs. fx-share-addon relies on the Web Activities/services functionality for extensibility.
- currently we have disabled all UI and ability to externally install any web apps.
- Only the fx-share mediator UI is available to the user.
- Web content does not have the ability currently to instantiate the share mediator, only UI in chrome (the share button in the url bar) can show the UI.
oauthorizer
OAuthorizer provides simple APIs for initiating OAuth login/authorization flow and calling OAuth version 1 and 2 based APIs.
The addon currently *can* store OAuth credentials in prefs, however it provides a flag to prevent storage of credentials. The openwebapps addon provides content-available APIs to use OAuthorizer, and passes the flag to prevent OAuthorizer storage of credentials. openwebapps does not store credentials, but passes them through to the webapp, which stores them in local storage. The login/authorization flow is *NOT* provided to content directly, it must be initiated from an openwebapps mediator (such as fx-share-addon). The content-available APIs for making OAuth based API calls requires content to have OAuth consumer and user keys, so without the login flow, it is largely unusable from content. Those content-available APIs will be removed in the future and made available only to openwebapps services. OAuthorizer is otherwise only directly accessible via chrome code.
- future changes
- remove ability to store credentials completely
- remove content-available API and make available only to mediated openwebapps
This component does A, B and C and interacts with component Y to do D.
The tables below simply summarize the data encountered by this component.
Stored Data:
| What | Where |
|---|---|
| consumer key and secret | webapp local storage |
| user key and secret | webapp local storage |
Communication with Component Y
| Direction | Message | Data | Notes |
|---|---|---|---|
| In: | message 1 | types of data received from component Y with the message | |
| Out: | message 2 | types of data sent to component Y with the message |
User Data Risk Minimization
In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk.
Alignment with Privacy Operating Principles
In this section, the privacy champion will identify how the feature lines up with Mozilla's privacy operating principles.
See Also: Privacy/Roadmap_2011#Operating_Principles:
Principle: Transparency / No Surprises
(How the feature addresses this)
Recommendations: (what can be improved)
Principle: Real Choice
Recommendations:
Principle: Sensible Defaults
Recommendations:
Principle: Limited Data
Recommendations:
Follow-up Tasks and tracking
| What | Who | Bug | Details |
|---|---|---|---|
| [NEW] Initial Overview Discussion | ? | Meeting time TBD |