SecurityEngineering/MeetingNotes/03-29-12
From MozillaWiki
Standing Agenda
- Review currently active (P1) features against their established milestones, identify any blockers - https://wiki.mozilla.org/Security/Roadmap + https://wiki.mozilla.org/Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/03-22-12
Security Roadmap
- Kilimanjaro - ????. ecosystem. Critical mass of features. Focus on getting these out with specific deadlines / timelines. apps, identity/personas/login to the browser, sync across all three platforms.
- B2G - next step go through the webapis and try to describe the inherent risk in each of them.
- Click to play Plugins - working on determining the right experience for users. need to coordinate with product etc. Jared working on it. Wants to land it in 14. Its experimental blanket click to play approach. wouldn't be enabled by default in 14.
- iframe sandbox - ian is still pushing this along. current status is all in https://bugzilla.mozilla.org/show_bug.cgi?id=341604 there seems to be agreement about how workers should behave in a sandboxed document, i'm debugging and investigating how to make this happen. The attribute is under discussion on WHATWG - going to poke Mozilla folks and try to get consensus on what to implement in Gecko. Also having a hang problem with the tests when I pushed them to try. Also, I want to rework the patch to use the same script choke points as CSP instead of totally disabling JS on the docshell - this will avoid the problem of having e.g video controls not working in an iframe with scripts disabled.
- CA Pinning - Camilo will be working on this. Start with an assessment - what will it take to start writing a patch. Need to talk to Brian about to feasibility after determining the scope, should be done by end of next week (the scope+feasability determination).
- Low rights firefox - Ian will begin researching this heavily starting Monday
Additional Items
- Stanford Computer Forum - Monday - http://forum.stanford.edu/events/2012security.php
- Recap from London devtools work week: https://bugzilla.mozilla.org/show_bug.cgi?id=737873, http://people.mozilla.org/~mgoodwin/devtools_ideas/
- google summer of code projects: https://wiki.mozilla.org/Community:SummerOfCode12#Security_Engineering
- competitive analysis
- yahoo security week presentation