Security/Reviews/Gaia/costcontrol: Difference between revisions

← Older edit

Security/Reviews/Gaia/costcontrol (view source)

Revision as of 17:32, 9 October 2013

363 bytes added , 9 October 2013

→‎1. XSS & HTML Injection attacks

Rfletcher

Confirmed users

353

edits

@@ Line 49: / Line 49: @@
 ** "settings":{ "access": "readonly" }
 *** There are no calls to mozSettings(). This permission appears to be extraneous.
+**** mozSettings is used in shared code:l10n.js, settings_listener.js
 ** "networkstats-manage":{} - Obtain statistics of data usage
 ** "telephony": {}, - telephony-call-ended system message.
@@ Line 89: / Line 90: @@
           - <script type="text/javascript" defer="" src="js/fte.js"></script> is redefined as <br>          <script src="js/fte.js" id="js/fte.js" type="application/javascript"></script>
           - After speaking with a developer, they must redefine script tags because simply uncommenting <br>          them and shoving them into innerHTML doesn't work. So they have to redefine the script tags and append them.
+=====Notes=====
+* After speaking with developer regarding [https://wiki.mozilla.org/Security/Reviews/Gaia/costcontrol&amp;section=20#Suspicious_but_OK suspected but ok] issues, specifically the dynamically creating <script> tags in view_manager.js, I've learned that in some instances developers depend on innerHTML quirks for "sanitization" purposes.
 ====2. Secure Communications ====
@@ Line 107: / Line 111: @@
 ** Access to SIM card, check service status
 * "settings":{ "access": "readonly" }
-** There are no calls to mozSettings(). This permission appears to be extraneous.
+** mozSettings is used in shared code:l10n.js, settings_listener.js
 * "networkstats-manage":{}
 ** Obtain statistics of data usage
@@ Line 117: / Line 121: @@
 === Security Risks & Mitigating Controls ===
-Extraneous certified permissions in manifest.
 === Actions & Recommendations ===