Closed
Bug 750997
Opened 13 years ago
Closed 12 years ago
[Security Review] Idle API
Categories
(mozilla.org :: Security Assurance, task, P1)
Tracking
(blocking-kilimanjaro:+, blocking-basecamp:+)
RESOLVED
FIXED
People
(Reporter: pauljt, Assigned: pauljt)
References
()
Details
(Whiteboard: [pending secreview][start 04/01/2012][target mm/dd/yyyy])
Security review of Idle API. Probably is more focused on privacy than security.
Is this the same as OS Idle API? If so the privacy review is here: https://wiki.mozilla.org/Privacy/Reviews/OSIdleAPI
Assignee: nobody → ptheriault
Status: NEW → ASSIGNED
|
Assignee | |
Updated•12 years ago
|
Blocks: B2G-secreview
|
|
Assignee | |
Comment 2•12 years ago
|
||
I think you re right - just checking with the product person now.
Priority: -- → P1
:Paul - this bug is in the process of landing. What is you time frame for starting/completing the sec review here?
|
||
Updated•12 years ago
|
blocking-basecamp: --- → ?
blocking-kilimanjaro: --- → ?
|
|
Assignee | |
Comment 5•12 years ago
|
||
This was reviewed prior to implementation. The review remains open, pending bug completion.
Two mitigating controls were proposed previously during the web api permission discussions:
- fuzzing the exact idle time to prevent correlation
- exposing only "page idle" to normal web content, and system idle to trusted and certified webapps/privileged code.
* Fuzzing the idle time is a work in progress (bug 770656)
* From recent email threads, its sounds like "page" idle never made it to implementation.
There is a discussion on the webapi list today regarding whether to use a "page idle" approach or just limit the API to privileged code. Completion date of this secreview is dependent on that, but there isn't much work in it.
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy] → [pending secreview][start 04/01/2012][target mm/dd/yyyy]
|
|
Assignee | |
Comment 6•12 years ago
|
||
PS in response to the above question, yes this is the same as OS IDLE Api.
|
|
Assignee | |
Comment 7•12 years ago
|
||
Update: decision still outstanding for a permission for Idle API as far as I know. Following up at the moment.
|
||
Updated•12 years ago
|
blocking-basecamp: ? → +
blocking-kilimanjaro: ? → +
|
||
Comment 8•12 years ago
|
||
I am going to unblock on this because this clutters the list of engineering bugs to work on. We should never the less obviously finish this work asap, and block on any mandatory follow-up items that come out of it. Please renom if you disagree with this rationale.
blocking-basecamp: + → ---
blocking-kilimanjaro: + → ---
Per conversation with :gal putting the flags back, we need to make sure this work is done before ship.
blocking-basecamp: --- → +
blocking-kilimanjaro: --- → +
|
|
Assignee | |
Comment 10•12 years ago
|
||
The review is complete - the only reason this isn't the question around permissions for the Idle API. Last I heard it, this API would be for certified apps only. This is another one to review at the work week workshop.
|
||
Comment 11•12 years ago
|
||
> Last I heard it, this API would be for certified apps only.
This has been implemented: Bug 780507. So I think we're done here; please re-open if I'm wrong.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•