Security/Reviews/ModuleLoader

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Module Loader
Target
   
     Full Query    
ID Summary Priority Status
743359 Land module loader to firefox P1 RESOLVED
756491 SecReview: Land module loader to firefox -- VERIFIED

2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);

The given value "
   
     Full Query    
ID Summary Priority Status
743359 Land module loader to firefox P1 RESOLVED
756491 SecReview: Land module loader to firefox -- VERIFIED

2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • we are using a module loader that is similiar to what is used by Node.js
    • long term goal is to land SDK to Firefox
    • landing this first, then api then sdk
  • this would allow jetpack items to use the module loader (currently shipped with each add-on)
    • Loader instance won't be shared across add-on instances just a code to create loaders
    • Blacklists Components from sandboxes we create

https://bugzilla.mozilla.org/show_bug.cgi?id=747434

    • We will be able to visualize capabilities graph for add-on reviewers like this:

http://bl.ocks.org/2582184

What solutions/approaches were considered other than the proposed solution?

  • keep it as is

Why was this solution chosen?

  • better for performance and smaller add-ons

Any security threats already considered in the design and why?

  • uses SubscriptLoader() so remote modules will not be loaded.

Threat Brainstorming

'

Property "SecReview feature goal" (as page type) with input value "* we are using a module loader that is similiar to what is used by Node.js
    • long term goal is to land SDK to Firefox
    • landing this first, then api then sdk
  • this would allow jetpack items to use the module loader (currently shipped with each add-on)
    • Loader instance won't be shared across add-on instances just a code to create loaders
    • Blacklists Components from sandboxes we create

https://bugzilla.mozilla.org/show_bug.cgi?id=747434

    • We will be able to visualize capabilities graph for add-on reviewers like this:
http://bl.ocks.org/2582184" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status None
Release Target `
Action Items
'