Websites/Mozilla.org/One Mozilla/Documentation/Self-Secreview: Difference between revisions
(Created page with "When creating a sub-site, here are two things that could potentially be security issues: '''1. SSL''' Since the site collects email addresses the site must be exclusively serve...") |
m (moved One-Mozilla-Project/Documentation/Self-Secreview to Websites/Mozilla.org/One Mozilla/Documentation/Self-Secreview: Re-organizing and bringing up to date all Mozilla.org website documentation.) |
||
| (3 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
''originally published by [https://wiki.mozilla.org/Chrissiebrodigan cbrodigan,] Feb 2012'' | |||
When creating a sub-site, here are two things that could potentially be security issues: | When creating a sub-site, here are two things that could potentially be security issues: | ||
| Line 9: | Line 11: | ||
Please instruct the developers to review their FB and Twitter buttons prior to finalizing the application. | Please instruct the developers to review their FB and Twitter buttons prior to finalizing the application. | ||
Here's how to test this: | Here's how to test this:<br> | ||
1. Within Firefox, Go to Tools->Web Developer->Web Console | 1. Within Firefox, Go to Tools->Web Developer->Web Console<br> | ||
2. In the new window click on the buttons to disable display of CSS, JS, | 2. In the new window click on the buttons to disable display of CSS, JS, | ||
and Web Developer (Only Net should be visible) | and Web Developer (Only Net should be visible)<br> | ||
3. Clear any data in the current window (the clear button is on the | 3. Clear any data in the current window (the clear button is on the | ||
upper right) | upper right)<br> | ||
4. Load the Mozilla page | 4. Load the Mozilla page<br> | ||
5. Review the requests in the window for anything that has facebook.com | 5. Review the requests in the window for anything that has facebook.com | ||
or twitter.com | or twitter.com<br> | ||
6. If you see any requests to these sites that occur without the user | 6. If you see any requests to these sites that occur without the user | ||
taking any action on the site, then we have an issue | taking any action on the site, then we have an issue<br> | ||
We've accomplished a privacy friendly sharing feature in our other sites. An example can be found [https://developer.mozilla.org/en-US/demos/detail/front-invaders here]. Just click on the "Share It" button to see options for twitter and facebook. This design only sends requests to facebook/twitter after the user has clicked on the respective icons. Simply viewing our Mozilla | We've accomplished a privacy friendly sharing feature in our other sites. An example can be found [https://developer.mozilla.org/en-US/demos/detail/front-invaders here]. Just click on the "Share It" button to see options for twitter and facebook. This design only sends requests to facebook/twitter after the user has clicked on the respective icons. Simply viewing our Mozilla | ||
page does not result in the user transmitting information to facebook or | page does not result in the user transmitting information to facebook or | ||
twitter. | twitter. | ||
Latest revision as of 19:42, 7 August 2012
originally published by cbrodigan, Feb 2012
When creating a sub-site, here are two things that could potentially be security issues:
1. SSL
Since the site collects email addresses the site must be exclusively served over HTTPS and the email address collection page must submit the form via HTTPS
2. Facebook & Twitter buttons
Please instruct the developers to review their FB and Twitter buttons prior to finalizing the application.
Here's how to test this:
1. Within Firefox, Go to Tools->Web Developer->Web Console
2. In the new window click on the buttons to disable display of CSS, JS,
and Web Developer (Only Net should be visible)
3. Clear any data in the current window (the clear button is on the
upper right)
4. Load the Mozilla page
5. Review the requests in the window for anything that has facebook.com
or twitter.com
6. If you see any requests to these sites that occur without the user
taking any action on the site, then we have an issue
We've accomplished a privacy friendly sharing feature in our other sites. An example can be found here. Just click on the "Share It" button to see options for twitter and facebook. This design only sends requests to facebook/twitter after the user has clicked on the respective icons. Simply viewing our Mozilla page does not result in the user transmitting information to facebook or twitter.