Security/Reviews/Gaia/costcontrol: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Gaia/costcontrol (view source)

Revision as of 22:01, 30 September 2013

161 bytes removed ,  30 September 2013
→‎Security Risks & Mitigating Controls
Line 118: Line 118:
=== Security Risks & Mitigating Controls ===
=== Security Risks & Mitigating Controls ===
* Extraneous certified permissions in manifest.
* Extraneous certified permissions in manifest.
* After speaking with developer regarding [https://wiki.mozilla.org/Security/Reviews/Gaia/costcontrol&amp;section=20#Suspicious_but_OK suspected but ok] issues, specifically the dynamically creating <script> tags in view_manager.js, I've learned that in some instances developers depend on innerHTML quirks for "sanitization" purposes. Since the security implications of innerHTML are so severe, it might be worth auditing instances of innerHTML or reach out to developer to find out more (:kaze)
* After speaking with developer regarding [https://wiki.mozilla.org/Security/Reviews/Gaia/costcontrol&amp;section=20#Suspicious_but_OK suspected but ok] issues, specifically the dynamically creating <script> tags in view_manager.js, I've learned that in some instances developers depend on innerHTML quirks for "sanitization" purposes.


=== Actions & Recommendations ===
=== Actions & Recommendations ===
Ptheriault
canmove, Confirmed users
1,220

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/718315"

Navigation menu