Security/Reviews/Gaia/FacebookIntegration: Difference between revisions
| Line 6: | Line 6: | ||
=== Overview === | === Overview === | ||
The Facebook integration code is primarily about integrating Facebook in the contacts application. It allows you to import Facebook contacts and after that also use Facebook features | The Facebook integration code is primarily about integrating Facebook in the contacts application. It allows you to import Facebook contacts and after that also use Facebook features from the Contacts app. | ||
Imported contacts from Facebook have lots of meta data in the Gaia contacts database: birthday, email addresses, phone numbers, addresses and profile picture. | |||
When on a contact detail page in the contacts app, a Facebook contact will have three additional options: | |||
* Send Private Message | |||
* Post to Wall | |||
* View Facebook Profile | |||
We do not provide UI for those features. They are simply opening up a page at https://m.facebook.com instead. | |||
===Architecture=== | ===Architecture=== | ||
Revision as of 20:07, 6 March 2013
App Review Details
- App: Facebook Integration
- Review Date: 6th March 2003
- Review Lead: Stefan Arentz
Overview
The Facebook integration code is primarily about integrating Facebook in the contacts application. It allows you to import Facebook contacts and after that also use Facebook features from the Contacts app.
Imported contacts from Facebook have lots of meta data in the Gaia contacts database: birthday, email addresses, phone numbers, addresses and profile picture.
When on a contact detail page in the contacts app, a Facebook contact will have three additional options:
- Send Private Message
- Post to Wall
- View Facebook Profile
We do not provide UI for those features. They are simply opening up a page at https://m.facebook.com instead.
Architecture
Components
The Facebook integration consists of a number of html pages for import contacts and an alarm handler to periodically sync in the background.
Relevant Source Code
The main source code is contained at:
- https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/facebook/
- https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/contacts/js/fb/
The following files have been looked at for this review:
- communications/contacts/js/fb/fb_contact.js
- communications/contacts/js/fb/fb_contact_utils.js
- communications/contacts/js/fb/fb_data.js
- communications/contacts/js/fb/fb_import.js
- communications/contacts/js/fb/fb_import_init.js
- communications/contacts/js/fb/fb_init.js
- communications/contacts/js/fb/fb_link.js
- communications/contacts/js/fb/fb_link_init.js
- communications/contacts/js/fb/fb_messaging.js
- communications/contacts/js/fb/fb_oauth.js
- communications/contacts/js/fb/fb_query.js
- communications/contacts/js/fb/fb_utils.js
- communications/contacts/js/fb/friends_list.js
- communications/facebook/js/console.js
- communications/facebook/js/curtain.js
- communications/facebook/js/fb_oauth_frame.js
- communications/facebook/js/fb_sync.js
- communications/facebook/js/fb_sync_init.js
- communications/facebook/js/sync_worker.js
- communications/ftu/js/fb_launcher.js
Permissions
Web Activity Handlers
Web Activity Usage
Notable Event Handlers
Code Review Notes
1. XSS & HTML Injection attacks
2. Secure Communications
The code talks to the following Facebook APIs:
- https://api.facebook.com/method/phonebook.lookup
- https://graph.facebook.com/#/feed?method=POST
- https://m.facebook.com/chat/messages.php
- https://graph.facebook.com/$uid/picture
- https://www.facebook.com/logout.php