SecurityEngineering/MeetingNotes/04-26-12

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Review currently active (P1) features against their established milestones, identify any blockers - https://wiki.mozilla.org/Security/Roadmap + https://wiki.mozilla.org/Privacy/Roadmap
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-12-12

Roadmap

  • Opt in activation
    • pref to turn it on in about:config
    • couple of bugs landed for differentiating between plugins (phase 2). We are almost there.
    • For phase 3, need descisions on exactly what the behavior is.
  • Iframe Sandbox
    • Almost done - doing cleanup and pushing towards landing ;)
    • Need to clean up mochitests a bit after feedback from mounir
    • Code patch sent to smaug for review
    • Sec review scheduled. (Looking for help from security assurance finding cases that should be in the test suite that aren't)
    • Land in 15 or 16 ?
  • B2G App Security Model
    • Camera API
    • Notifications dialog

...

  • Highlight cleartext passwords
    • Tanvi has begun by putting code in the nsLoginManager, soliciting feedback
    • Talking with Limi about the best way to highlight a violating field, brainstorming ideas for ways to evaluate the best "highlight" mechanism.
    • We should do this responsibly, since the whole web will show this as insecure. We should do it responsibly with a comms plan, socialization and gradual roll-out
  • Talk to bsmith - he and bsterne have talked about a way to tell if an https and http version of a page are the same. website opts-in. That might be useful for this.
  • CA Pinning
  • Process sandbox - Low Rights FF
    • Working on a writeup of research/conversations ...
    • Have Proof of Concept implementation plan

Goals

https://intranet.mozilla.org/2012Q2Goals#Security_Engineering

  • DNT Implementation - technical spec is hashed out but conformance spec still in flux.

Mozcamp Update

  • Interesting. Passionate community.
  • Camilo and Lucas talked

Other items

  • Sid's travel event report
  • Webappsec f2f and csp stuff to discuss.
    • We should be sure to bring things up at the f2f (see schedule below)

1) Last Call for comments on CORS http://www.w3.org/TR/access-control/ 2) CSP meta tag, policy uri, csp sandbox 3) new CSP directives? can mention no-user-js 4) Anti-clickjacking www.w3.org/Security/wiki/Anti-Clickjacking_Requirements http://www.w3.org/Security/wiki/Anti-Clickjacking_Protected_Interactive_Elements http://www.w3.org/Security/wiki/Clickjacking_Threats 5) CSP should check content/type for script and disallow it if it is not application/javascript or application/json like it used to do: https://dvcs.w3.org/hg/content-security-policy/rev/76f67cf1e5ad if we buy default enforce mime-types, we need a way to turn them off. 6) meta referrer. separate from csp right now.

  • making meetings public/announced
  • integrating networking/crypto features into roadmap
  • Job descriptions

PTO/travel

  • Tues, Wed webappsec f2f
  • B2G Work week May 7th.
Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/MeetingNotes/04-26-12&oldid=424847"