Closed Bug 748187 Opened 13 years ago Closed 12 years ago

[Security Review]Browser API

Categories

(mozilla.org :: Security Assurance, task, P1)

Product:
mozilla.org
Component:
Security Assurance
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pauljt, Assigned: pauljt)

References

(
URL
)

Details

(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy])

B2G contains a browser API so that a browser app can be developed (ie a browser written in HTML/JS/CSS). An API is needed to support this, and this bug is for tracking the security review of this API. See link for background
Assignee: nobody → ptheriault
Status: NEW → ASSIGNED
Keywords: sec-review-needed
Whiteboard: [secr:ptheriault] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Summary: Security Review for Browser API → Security Review for B2G Web Telephony
Summary: Security Review for B2G Web Telephony → [Security Review]Browser API
Priority: -- → P1
We need to revisit this review now that Browser API is more complete now, and that multi-process has landed (?).
(In reply to Paul Theriault [:pauljt] from comment #4) > We need to revisit this review now that Browser API is more complete now, > and that multi-process has landed (?). Please file a new bug. But honestly, I don't think a review is a particularly good use of time at this point. This API lets the embedder totally own the generated content, so it's going to be trusted- and certified-only. Given that this API will not be exposed to unreviewed content and no actionable items came out of the first review, and given the incredibly tight timeframe we're under, I think Dale, Ben, and my time would be better spent elsewhere. If you disagree, let's discuss this in the new security review bug.
This was more a note to self (and david chan) - just trying to keep status of secreview bugs up to date. I don't imagine a formal review, just completing the one we already started now that browser API is closer to being finished (although I know there is a still a lot of work to do).
(In reply to Justin Lebar [:jlebar] from comment #5) > (In reply to Paul Theriault [:pauljt] from comment #4) > > We need to revisit this review now that Browser API is more complete now, > > and that multi-process has landed (?). > > Please file a new bug. > > But honestly, I don't think a review is a particularly good use of time at > this point. This API lets the embedder totally own the generated content, > so it's going to be trusted- and certified-only. Given that this API will > not be exposed to unreviewed content and no actionable items came out of the > first review, and given the incredibly tight timeframe we're under, I think > Dale, Ben, and my time would be better spent elsewhere. > > If you disagree, let's discuss this in the new security review bug. Created a new security bug (bug 830225) to discuss risks of exposing this API to Privileged Apps, and closing thus closing this bug out.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.