Confirmed users
152
edits
Security/Reviews/Gaia/homescreen: Difference between revisions
→Permissions
Ptheriault (talk | contribs) |
|||
| (4 intermediate revisions by one other user not shown) | |||
| Line 20: | Line 20: | ||
====Permissions==== | ====Permissions==== | ||
"webapps-manage":used to get the list of all installed apps, so that apps can be launched when their icon is tapped. | * "webapps-manage":used to get the list of all installed apps, so that apps can be launched when their icon is tapped. | ||
"systemXHR": Used to load application icons | * "systemXHR": Used to load application icons | ||
"settings": used to observe when language changes (which can't be done with navigator.language) and also to set the keyboard language. | * "settings": used to observe when language changes (which can't be done with navigator.language) and also to set the keyboard language. | ||
"device-storage:pictures": this is no longer used bug 843921 raised to remove this. | * "device-storage:pictures": this is no longer used bug 843921 raised to remove this. | ||
"open-remote-window":This allows the homescreen to open windows in seperate content processes (ie <iframe remote='true>) | * "open-remote-window":This allows the homescreen to open windows in seperate content processes (ie <iframe remote='true>) | ||
"geolocation": Used by everything.me to provide more relevant content | * "geolocation": Used by everything.me to provide more relevant content | ||
====Web Activity Handlers ==== | ====Web Activity Handlers ==== | ||
| Line 55: | Line 55: | ||
====1. XSS & HTML Injection attacks==== | ====1. XSS & HTML Injection attacks==== | ||
The homescreen and everything.me contain extensive usage of innerHTML which would be better replaced with DOM calls. (both for performance and security). Mainly though this is for static HTML. All access to .innerHTML was audited, including calls to Evme.$create which is a wrapper for innerHTML. | |||
====2. Secure Communications ==== | ====2. Secure Communications ==== | ||
Everything.me was found to be using http to connect to its API, but this was only on non-production devices. SSL has been confirmed on user releases- see bug 831488. | |||
====3. Secure data storage ==== | ====3. Secure data storage ==== | ||
Everything.me was found to log a lot of user activity using dump() statements. Further investigation proved this to be only enabled on development phones, however dump() was replaced with console.log() to prevent accidental disclosure of data from developers (see bug 842062) | |||
====4. Denial of Service ==== | ====4. Denial of Service ==== | ||