Open Bug 1655268 Opened 4 years ago Updated 2 years ago

Prototype Apple Script support

Categories

(Core :: Widget: Cocoa, enhancement, P3)

78 Branch
enhancement

Tracking

()

People

(Reporter: bespoleznyak, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Whiteboard: [mac:integration])

Attachments

(2 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

This is a but for tracking work on adding AppleScript support

Assignee: nobody → bespoleznyak

Depends on D84922

Moving this over to a component, please move it over to the appropiate one if needed.

Status: UNCONFIRMED → NEW
Component: Untriaged → Widget: Cocoa
Ever confirmed: true
Product: Firefox → Core

Dan, apologies for requesting need-info from you directly but I can't seem to find the sec-review flag anymore. Would you be able to set the flag on this bug, or answer the question below? Thank you.

I would like to get some input from the security team here to cover all of our bases. The purpose of this bug is to add the ability to script Firefox, for example to get the currently active URL in the browser. Is there a simple way of saying "yes, we can do this" or "no, there are several security reasons why we should avoid this"? If the answer is not that simple, should this go through a security review? If so, could you point me to the latest documentation on how to draw up a security review request? Thank you!

Some background on AppleScript: https://en.wikipedia.org/wiki/AppleScript

Severity: -- → S3
Flags: needinfo?(dveditz)
Priority: -- → P3

This one sounds concerning enough that we should do a review -- agreed. We'll want to know things like how this differs from WebDriver/marionette in capability, whether you've adopted any of the anti-abuse features they have, and what specific APIs/capabilities you'll be exposing to script. Please fill out the template linked to from our wiki page and mail it to our review list.
https://wiki.mozilla.org/Security/Reviews/

Flags: needinfo?(dveditz)

(In reply to Daniel Veditz [:dveditz] from comment #5)

This one sounds concerning enough that we should do a review -- agreed. We'll want to know things like how this differs from WebDriver/marionette in capability, whether you've adopted any of the anti-abuse features they have, and what specific APIs/capabilities you'll be exposing to script. Please fill out the template linked to from our wiki page and mail it to our review list.
https://wiki.mozilla.org/Security/Reviews/

Mikhail, do you want to take the lead on getting the security review started?

Flags: needinfo?(bespoleznyak)

Sure, I just contacted the Security Team. Let's see what they say

Flags: needinfo?(bespoleznyak)

Excuse me guys, I just received a delivery failure:

We're writing to let you know that the group you tried to contact (secreview) may not exist, or you may not have permission to post messages to the group. A few more details on why you weren't able to post:

It looks like I'm not able to proceed

Flags: needinfo?(dveditz)

Try it again. The group was apparently set up as internal only, but I've fixed that.

Flags: needinfo?(dveditz)

Yep, looks better

Hey guys, is there a chance to understand if my email was received at all? Three months and no signal...

@Mikhail thanks for your patience so far; I think a lot of the Mozilla folks haven't been following bugmail so closely over the holidays. I'll set a needinfo on :dveditz to help avoid this falling through the cracks...

Flags: needinfo?(dveditz)

The purpose of this bug is to add the ability to script Firefox, for example to get the currently active URL in the browser. Is there a simple way of saying "yes, we can do this" or "no, there are several security reasons why we should avoid this"?

All Webkit and Chromium browsers support AppleScript. All of them together severely dwarf Firefox in user base, yet I do not recall hearing of breaches due to AppleScript support in browsers.

I strongly recommend following how Chrome does it and its AppleScript Dictionary, because that will give you a head-start in adoption.

We'll want to know things like how this differs from WebDriver/marionette in capability

For one, it works without requiring additional software. As an avid automator (who shares) on macOS, I never include Firefox in my tools because I can’t (as it does not support AppleScript).

I have discussed this with Firefox representatives in the past and it was dismissed as a "power-user feature". What they always fail to understand is that power-users are the ones who create the tools non-power-users use.

When users of my tools tell me they will abandon Firefox because it cannot be supported by the tools they want, I never dissuade them. How could I, when that is a major reason I do not touch Firefox myself.

Whiteboard: [mac:integration]

The bug assignee didn't login in Bugzilla in the last 7 months.
:spohl, could you have a look please?
For more information, please visit auto_nag documentation.

Assignee: bespoleznyak → nobody
Flags: needinfo?(spohl.mozilla.bugs)

Hello, I'm still here :)
I'm still waiting for someone to proceed with the security review and let me know if I go in the right direction.

:dveditz, would you be able to take a look at what might have happened to the security review request?

Flags: needinfo?(spohl.mozilla.bugs)
Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: