Thunderbird:Thunderbird3:ContentSecReview/Link Expose Security Review

From MozillaWiki
Jump to: navigation, search

Overview

Content tabs in Thunderbird have been created for accessing web content. The built in pages access only Mozilla Messaging's site or about:/chrome: urls. Extensions may choose to load other pages and/or allow navigation.

Background links

Security and Privacy

The content tabs do not provide any UI for current location. Status bar UI is provided for links so that on hover for links is shown on the status bar.

Context menu options are provided for opening the current page or a link in the external browser.

Extensions are expected to provide their own UI for navigation/security should they desire it.

  • Is this feature a security feature? If it is, what security issues is it intended to resolve?
  • What potential security issues in your feature have you already considered and addressed?
  • Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
  • Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
  • How are transitions in/out of Private Browsing mode handled?


Exported APIs

N/A

Module interactions

N/A

Data

N/A

Reliability

  • What failure modes or decision points are presented to the user?
  • Can its files be corrupted by failures? Does it clean up any locks/files after crashes?

Configuration

  • Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
    • None
  • Are there build options for developers? [#ifdefs, ac_add_options, etc.]
    • None
  • What ranges for the tunable are appropriate? How are they determined?
  • What are its on-going maintenance requirements (e.g. Web links, perishable data files)?

Relationships to other projects

Are there related projects in the community?

  • If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
  • Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?

Review comments