MozillaWiki

Security/Reviews/SocialAPI: Difference between revisions

Page Discussion

Security/Reviews/SocialAPI (view source)

Revision as of 17:47, 20 June 2012

92 bytes added ,  20 June 2012
m
no edit summary
(updates from june 20 meeting)
mNo edit summary
 
Line 36: Line 36:
Our  intent is that the entire system defaults to "off".  We would like a  social service provider to have the power to turn the feature on, for  its own domain, while the user is visiting their site.  I suggest that  this be implemented as: On pages whose domain matches the URLPrefix of  an installed service provider, a JS function ("activateSocialBrowsing")  is enabled.  Calling this function prompts the user with a "want to  turn  on social browsing?" panel; if selected, this enables the feature  and  selects the current provider.  If the user declines to turn it on,  we  should have the option to remember this choice and not present the  panel  in future. turn it on, we should have the option to remember  this  choice and not present the panel in future.
Our  intent is that the entire system defaults to "off".  We would like a  social service provider to have the power to turn the feature on, for  its own domain, while the user is visiting their site.  I suggest that  this be implemented as: On pages whose domain matches the URLPrefix of  an installed service provider, a JS function ("activateSocialBrowsing")  is enabled.  Calling this function prompts the user with a "want to  turn  on social browsing?" panel; if selected, this enables the feature  and  selects the current provider.  If the user declines to turn it on,  we  should have the option to remember this choice and not present the  panel  in future. turn it on, we should have the option to remember  this  choice and not present the panel in future.
|SecReview threats considered=- Phishing
|SecReview threats considered=- Phishing
|SecReview threat brainstorming=<b>1 Manifest file - what are the security requirements for entrance?&nbsp;</b><br
|SecReview threat brainstorming=<br>submit threat brainstorming comments, suggestions to amuntner (@) mozilla.com
<br><br>
 
<b>1 Manifest file - what are the security requirements for entrance?&nbsp;</b><br
/>Threat&nbsp;<br
/>Threat&nbsp;<br
/><ul><li>&nbsp;Can a website say, "click to add whateverbook," and really add a MITM site to your manifest, with legit ssl key?&nbsp;&nbsp;</li></ul
/><ul><li>&nbsp;Can a website say, "click to add whateverbook," and really add a MITM site to your manifest, with legit ssl key?&nbsp;&nbsp;</li></ul
Amuntner
297

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/443803"