297
edits
Security/Reviews/SocialAPI: Difference between revisions
no edit summary
(Added platform issues, open questions, notes) |
No edit summary |
||
| Line 192: | Line 192: | ||
'''Platform Issues - | '''Platform Issues - Javascript Engine''' | ||
* Non-responsive Scripts (Javascript Engine) | * Non-responsive Scripts (Javascript Engine) | ||
* Cu.Sandbox doesn't provide a way for us to test for non-responsive scripts, so making this a blocker will prevent the feature from moving forward at this time. Shane thinks that kind of functionality should actually be integral to Cu.Sandbox itself rather than features utilizing it, it would be a good addition, but something for js engine. | * Cu.Sandbox doesn't provide a way for us to test for non-responsive scripts, so making this a blocker will prevent the feature from moving forward at this time. Shane thinks that kind of functionality should actually be integral to Cu.Sandbox itself rather than features utilizing it, it would be a good addition, but something for js engine. | ||
| Line 213: | Line 213: | ||
'''Notes for pentest''' | '''Notes for pentest''' | ||
* Sandbox: Cu.Sandbox allows chrome to inject code for content to use, some of which may presumably safely call back into chrome functionality. IMHO The question here is, have we used the sandbox correctly. We had the code looked over in bug 751241, and further again by ddahl (more an off-the-record review for a question I had). As part of the full code review the sandbox use should be scrutinized. If there are risk problems with the sandbox itself, that needs to go to the javascript engine team. | * Sandbox: Cu.Sandbox allows chrome to inject code for content to use, some of which may presumably safely call back into chrome functionality. IMHO The question here is, have we used the sandbox correctly. We had the code looked over in bug 751241, and further again by ddahl (more an off-the-record review for a question I had). As part of the full code review the sandbox use should be scrutinized. If there are risk problems with the sandbox itself, that needs to go to the javascript engine team. | ||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||