SecurityEngineering/MeetingNotes/05-03-12

Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
Suggest additions or changes to roadmaps
Detailed discussion of features or outstanding issues as time permits
Upcoming events, OOO/travel, etc.

Apps Security/B2G Status

Lots of threads discussing this stuff (everywhere). Turns out the camera is the most complicated topic in the WebAPIs.
Converging to ery specific proposal
- Permissions opt-in at runtime for trusted apps who need permissions aside from the implicitly provided permissions in trusted apps.
- Some folks wanted "certified apps" (ones we sign) to be common, but Lucas argues that certification be reserved for special things like the dialer, the official "Settings" app, etc.
- See WebAPI wiki page (https://wiki.mozilla.org/Webapi)
- Users can choose permissions at install time, and permissions are granted at runtime and persisted. Users can later change the permissions if they wish, but once they're granted/rejected that choice is persisted. (Permission state may be represented by icons.)

Classes of webapps:

Much (if not all) of this is documented in the mail threads... but that's a lot of reading.

Privacy roadmap this week (https://wiki.mozilla.org/Privacy/Roadmap/2012)
Sid is still working Tanvi's awesome feedback into the roadmap
Sid is working on a new feature: setup a list of sites to be preloaded to be https by default
Checked with Google, they are OK with Aurora performance.
- Next work on multiple cookie jars.
- Only a few will remain P1, incuding shortened http referer header, cookie jars, per site third party cookie settins.
- Hoping so simplyfy DNT for easier standarization.
- Looking at several not so defined