Who is/are the point of contact(s) for this review? Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: Does this request block another bug? If so, please indicate the bug number This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.) Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Are there any portions of the project that interact with 3rd party services? Will your application/service collect user data? If so, please describe If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

> Who is/are the point of contact(s) for this review? Doug Turner > Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.): Device Storage allows us to expose directories and files to web content. > Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description: https://wiki.mozilla.org/WebAPI/DeviceStorageAPI > Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users? Yes. It is a core change to gecko. > Are there any portions of the project that interact with 3rd party services? No. > Will your application/service collect user data? If so, please describe No. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. Soon.

:dougt if you could pick one of the open dates I can get a lead assigned for this and we can get it scheduled.

Review Meeting set: https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html?view=month&action=view&invId=110473-110472&pstat=AC&exInvId=110473-185529&useInstance=1&instStartTime=1339012800000&instDuration=3600000

:pauljt - if this is done lets get this to verified-fixed state

This API is still awaiting a permissions model. When I spoke to dougt last week, he indicated that there might even be an API redesign. So awaiting either permissions model implmentation

There permission model is implemented now. There was an issue with content being able to prompt for media storage but this is now fixed (814294). There were also other actions from the security review which didn't make it into bugzilla. Attempting to chase these down now. They were: * check around sizes/dos risks/paths/partitions -> /system has its own partition, as does /data. Media files are stored on /sdcard partition so should not be a risk of DoS. * Investigate file blob -> File handle patch -> bug 752724, this needs a review, I'm doing this. * Further investigate permission granularity/implementation: granularity is split per data store, see https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0 for details of permissions model for basecamp. Nothing further todo here. * file bug that isSafePath checks for "." and ".." paths, "..." would get by. This was bug 762343, which has no work on it, but I have tested fuzzing file paths and I didn't see any issues.

So 752724 isnt complete yet, and it isnt basecamp, so I think this review is done for now. I have will revisit 752724 when it is more complete.