Confirmed users
353
edits
(8 intermediate revisions by 2 users not shown) | |||
Line 49: | Line 49: | ||
** "settings":{ "access": "readonly" } | ** "settings":{ "access": "readonly" } | ||
*** There are no calls to mozSettings(). This permission appears to be extraneous. | *** There are no calls to mozSettings(). This permission appears to be extraneous. | ||
**** mozSettings is used in shared code:l10n.js, settings_listener.js | |||
** "networkstats-manage":{} - Obtain statistics of data usage | ** "networkstats-manage":{} - Obtain statistics of data usage | ||
** "telephony": {}, - telephony-call-ended system message. | ** "telephony": {}, - telephony-call-ended system message. | ||
Line 89: | Line 90: | ||
- <script type="text/javascript" defer="" src="js/fte.js"></script> is redefined as <br> <script src="js/fte.js" id="js/fte.js" type="application/javascript"></script> | - <script type="text/javascript" defer="" src="js/fte.js"></script> is redefined as <br> <script src="js/fte.js" id="js/fte.js" type="application/javascript"></script> | ||
- After speaking with a developer, they must redefine script tags because simply uncommenting <br> them and shoving them into innerHTML doesn't work. So they have to redefine the script tags and append them. | - After speaking with a developer, they must redefine script tags because simply uncommenting <br> them and shoving them into innerHTML doesn't work. So they have to redefine the script tags and append them. | ||
=====Notes===== | |||
* After speaking with developer regarding [https://wiki.mozilla.org/Security/Reviews/Gaia/costcontrol&section=20#Suspicious_but_OK suspected but ok] issues, specifically the dynamically creating <script> tags in view_manager.js, I've learned that in some instances developers depend on innerHTML quirks for "sanitization" purposes. | |||
====2. Secure Communications ==== | ====2. Secure Communications ==== | ||
Line 107: | Line 111: | ||
** Access to SIM card, check service status | ** Access to SIM card, check service status | ||
* "settings":{ "access": "readonly" } | * "settings":{ "access": "readonly" } | ||
** | ** mozSettings is used in shared code:l10n.js, settings_listener.js | ||
* "networkstats-manage":{} | * "networkstats-manage":{} | ||
** Obtain statistics of data usage | ** Obtain statistics of data usage | ||
Line 117: | Line 121: | ||
=== Security Risks & Mitigating Controls === | === Security Risks & Mitigating Controls === | ||
=== Actions & Recommendations === | === Actions & Recommendations === |