Security/Reviews/Gaia/costcontrol: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Gaia/costcontrol (view source)

Revision as of 18:53, 30 September 2013

264 bytes added ,  30 September 2013
→‎Security Risks & Mitigating Controls
Line 118: Line 118:
=== Security Risks & Mitigating Controls ===
=== Security Risks & Mitigating Controls ===
* Extraneous certified permissions in manifest.
* Extraneous certified permissions in manifest.
* After speaking with developer regarding [https://wiki.mozilla.org/Security/Reviews/Gaia/costcontrol&amp;section=20#Suspicious_but_OK suspected but ok] issues, specifically the dynamically creating <script> tags in view_manager.js.
* After speaking with developer regarding [https://wiki.mozilla.org/Security/Reviews/Gaia/costcontrol&amp;section=20#Suspicious_but_OK suspected but ok] issues, specifically the dynamically creating <script> tags in view_manager.js, I've learned that in some instances developers depend on innerHTML quirks for "sanitization" purposes. Since the security implications of innerHTML are so severe, it might be worth auditing instances of innerHTML or reach out to developer to find out more (:kaze)


=== Actions & Recommendations ===
=== Actions & Recommendations ===
Rfletcher
Confirmed users
353

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/718229"

Navigation menu