The security review identified the importance of giving good security advice to social integration providers. The secreview wiki (https://wiki.mozilla.org/Security/Reviews/SocialAPI) documents these as proposed or accepted remediations The purpose of this bug is for tracking and review of the documentation/guidance to be created for social providers. My take is that we need to offer two categories of documentation: 1. Guidance for developers - Their code should never have the user login from the social window, only from the main browser window - They should instruct their users that if they see a login request inside the social window, it's spoofed/unsafe and they should not use it - Guide providers about safe strings to place in notifications - e.g. "Joe has come online" but not "Joe has a new update and here it is: XXXX" - Information on what is blocked in the sandbox (plugins, etc) 2. Infrastructure - How to deploy their code safely - SocialAPI requires valid ssl certs, safebrowsing checks, same-origin policy of any urls in the manifest. Please expand this list as you see the need.

Disregard, this bug was created in error.