[This was originally sent to dev.platform and dev.tech.crypto] Summary: We intend to remove the proprietary window.crypto functions and properties. See https://developer.mozilla.org/en-US/docs/JavaScript_crypto for what will be affected by this change. Our reasoning is as follows: These functions have never been (and never will be) standardized. The implementation has near-nonexistent test coverage. What few tests exist were written as a result of finding easily-encountered bugs years after the original implementation landed[0][1][2]. As it is exposed to web content, it represents a considerable attack surface. It is not well-maintained. It is incompatible with our process-separation and sandboxing efforts. It is not supported or enabled on Firefox OS. Meanwhile, we are making progress on implementing the webcrypto specification[3]. When complete, webcrypto should provide compatible functionality for what these functions are currently being used to do. Any functionality not implementable using webcrypto is available to addons (see the interfaces in security/manager/ssl/public).
Note: this does not include window.crypto.subtle or window.crypto.getRandomValues, which are part of webcrypto and do not need to be removed. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1030963 Spec: n/a Platform coverage: desktop, android Target release: 33 Pref: n/a [0] https://bugzilla.mozilla.org/show_bug.cgi?id=849553 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=934716 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=935618 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=865789 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
