SecurityEngineering/MeetingNotes/04-11-13

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Q2 Goals Recap (https://intranet.mozilla.org/2013Q2Goals#Security_Engineering)
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Additional Items
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-04-13

Agenda

  https://etherpad.mozilla.org/b2g-system-security

Q2 Goals

Relevant: https://wiki.mozilla.org/Platform/2013-Q2-Goals#Networking

top list

Code:

  • land the application reputation scanning thing (dri=mmc)
  • Turn Mixed Content Blocking on in Aurora (dri=tanvi)
  • land classic cert validation replacement, off by default (dri=bsmith, assist=cviecco)
  • land OCSP stapling support and tests (dri=keeler)
    • Brian: when is NSS 3.15 landing on m-c? Answer: maybe today

Evangelism:

  • Make most excellent the MDN documentation of CSP and Mixed Content Blocker. (dri=imelven, assist=rforbes, tanvi)
  • Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux (dri=imelven)

Research:

  • Deploy pilot cookie study and publish results. (dri=ddahl)

Mixed Content Blocker on mozilla sites

Logging Security Errors to the Webconsole

  • the web console code expects nsIScriptError - would need to modify it if we want to start sending different/new errors to the web console
  • could subclass nsIScriptError
  • https://etherpad.mozilla.org/p2eDLTAb9w (brainstorm useful errors for different features)
  • plan: see if using nsIScriptError is sufficient for our needs. If not, potentially subclass or write a whole new class for security errors.