SecurityEngineering/MeetingNotes/05-03-12
From MozillaWiki
Standing Agenda
- Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-26-12
Apps Security/B2G Status
- Lots of threads discussing this stuff (everywhere). Turns out the camera is the most complicated topic in the WebAPIs.
- Converging to ery specific proposal
- Permissions opt-in at runtime for trusted apps who need permissions aside from the implicitly provided permissions in trusted apps.
- Some folks wanted "certified apps" (ones we sign) to be common, but Lucas argues that certification be reserved for special things like the dialer, the official "Settings" app, etc.
- See WebAPI wiki page (https://wiki.mozilla.org/Webapi)
- Users can choose permissions at install time, and permissions are granted at runtime and persisted. Users can later change the permissions if they wish, but once they're granted/rejected that choice is persisted. (Permission state may be represented by icons.)
Classes of webapps:
- untrusted (web page)
- installable (web page with a manifest)
- trusted (prompt user to allow certain api access like camera, contacts, etc)
- certified apps (extend OS, not common)
Much (if not all) of this is documented in the mail threads... but that's a lot of reading.
Roadmap Review
- Privacy roadmap this week (https://wiki.mozilla.org/Privacy/Roadmap/2012)
- Sid is still working Tanvi's awesome feedback into the roadmap
- Sid is working on a new feature: setup a list of sites to be preloaded to be https by default
- Checked with Google, they are OK with Aurora performance.
- Next work on multiple cookie jars.
- Only a few will remain P1, incuding shortened http referer header, cookie jars, per site third party cookie settins.
- Hoping so simplyfy DNT for easier standarization.
- Looking at several not so defined
Travel Stuff
- B2G work week in San Diego next week.
- May 22-24 HITB Amsterdam
- Press tour in June (11th-ish)