Security/Reviews/MarionetteCLIAll

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Add --marionette CLI to enable Marionette on all Firefox builds
Target 
   
     Full Query
ID Summary Priority Status
870445 Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED
870576 SecReview: Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

Previous Review:

The given value "
   
     Full Query
ID Summary Priority Status
870445 Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED
870576 SecReview: Add --marionette CLI to enable Marionette on all Firefox builds -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

Previous Review:

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • W3C spec for WebDriver (our implementation)
    • there are other implementations (Firefox Driver)
    • Similar to Mozmill
    • Key framework to B2G (built into Gecko to simplify a lot of work, since B2G does not support extensions)
  • SocialAPI people would like to use this for automation
  • in the past this was for debug builds only
    • social API has asked for this in optimized builds
    • to gain further audience for test automation
  • Chromium and Opera are also doing this in optimized builds
  • This review is just for Firefox Desktop

What solutions/approaches were considered other than the proposed solution?

  • based on what the SocialAPI team wants, there are currently no other ways to support this
  • use Firefox Driver
    • this supports content only, and we need some items in chrome

Why was this solution chosen?

  • reasons above

Any security threats already considered in the design and why?

`

Threat Brainstorming

  • https://bugzilla.mozilla.org/show_bug.cgi?id=741812
    • [Security Review][Action Item]Marionette - AMO Review Information
    • won't fix
    • need to re-open this bug given other information from this review
  • https://bugzilla.mozilla.org/show_bug.cgi?id=741813
    • [Security Review][Action Item] Marionette - pref
    • won't fix
    • this may have been fixed by the use of startup flags
    • Still wontfix now because we won't be able to enable Marionette with just a pref anymore
  • what has been done to keep an add-on from using this
    • nothing to date
  • why do we have prefs if we have command line
    • prefs hold other information (i.e. port) not simply a start/stop kind of pref
  • [sidenote for B2G] On B2G, it listens to everything, we should restrict this to localhost (already done for Firefox)
  • We could prefix with a note in parenthesis/braces in stdout for debug information that gets sent to hosts other than localhost
  • Property "SecReview feature goal" (as page type) with input value "* W3C spec for WebDriver (our implementation)
      • there are other implementations (Firefox Driver)
      • Similar to Mozmill
      • Key framework to B2G (built into Gecko to simplify a lot of work, since B2G does not support extensions)
    • SocialAPI people would like to use this for automation
    • in the past this was for debug builds only
      • social API has asked for this in optimized builds
      • to gain further audience for test automation
    • Chromium and Opera are also doing this in optimized builds
    • This review is just for Firefox Desktop" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
    • Property "SecReview alt solutions" (as page type) with input value "* based on what the SocialAPI team wants, there are currently no other ways to support this
    • use Firefox Driver
      • this supports content only, and we need some items in chrome" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
      • Property "SecReview threat brainstorming" (as page type) with input value "* https://bugzilla.mozilla.org/show_bug.cgi?id=741812
      • [Security Review][Action Item]Marionette - AMO Review Information
      • won't fix
      • need to re-open this bug given other information from this review
    • https://bugzilla.mozilla.org/show_bug.cgi?id=741813
      • [Security Review][Action Item] Marionette - pref
      • won't fix
      • this may have been fixed by the use of startup flags
      • Still wontfix now because we won't be able to enable Marionette with just a pref anymore
    • what has been done to keep an add-on from using this
      • nothing to date
    • why do we have prefs if we have command line
      • prefs hold other information (i.e. port) not simply a start/stop kind of pref
    • [sidenote for B2G] On B2G, it listens to everything, we should restrict this to localhost (already done for Firefox)
    • We could prefix with a note in parenthesis/braces in stdout for debug information that gets sent to hosts other than localhost" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
  • Marionette Team :: reopen and address 741812 for AMO :: before enabling in optimize builds
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/MarionetteCLIAll&oldid=655446"