SecurityEngineering/MeetingNotes/06-14-12
From MozillaWiki
Standing Agenda
- Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/06-07-12
Security Roadmap
Any blockers, significant developments, questions/input from team?
- CA Pinning - not using permissions manager and we may need to build something else. Perhaps cert override service or something like that. Target is still FF 17.
- Click-to-play - blocked on UI design, nsObjectLoadingContent undergoing changes, main click-to-play patch under review
- iframe sandbox - will do another pass on review feedback etc tomorrow, still trying for FF16 if possible.
- low rights Firefox - addon compatibility is the biggest issue - need to get a POC up and try to determine amount of breakage - need to sync up with addon folks and see if we can find out how many addons expect arbitrary filesystem/registry access and to be able to launch new processes.
- Highlight Cleartext passwords - data needs validating; user research surveys need to be done. But working on other bugs instead to alert about security issues in Web Console -
https://bugzilla.mozilla.org/show_bug.cgi?id=737873 - blocks Mixed Content feature https://bugzilla.mozilla.org/show_bug.cgi?id=762593 - blocks this feature
Privacy Roadmap
No news is good news.
Additional Items
- Mixed Content. Which option do we select for FF14?
- Current: Current FF13
- Option 1
- Option 2 (better picture here: https://msujaws.wordpress.com/2012/04/23/an-update-to-site-identity-in-desktop-firefox/comment-page-1/#comments )
- Option 3
there's a consensus that we prefer 1 over 2.
- script vs display. What do you guys think?
- Mixed script: TYPE_SCRIPT, TYPE_XMLHTTPREQUEST, TYPE_STYLESHEET, TYPE_OBJECT, TYPE_SUBDOCMENT, TYPE_WEBSOCKET
- Mixed display: TYPE_IMAGE, TYPE_SUBDOCUMENT, TYPE_PING, TYPE_FONT, TYPE_MEDIA, TYPE_WEBSOCKET
- Necko already blocks mixed websockets, so that case is probably redundant, but I didn't want people to wonder why it wasn't explicitly handled. websockets belong w/XHR. So does "Event Source"
- Some load types, like TYPE_XBL and TYPE_REFRESH, didn't appear to make sense in this context, so I ignored them
- TYPE_SUBDOCUMENT - should be MixedScript because it could contain references to scripts and contains inline scripts.
- TYPE_WEBSOCKET - should be MixedScript. same as xhr.
- TYPE_FONT - Fonts may have scripting in them, but they aren't run in page. So okay as mixed display.
- TYPE_PING - if put ping in <a> tags. Can't talk to the page, etc.
- Changes to phishing, malware, and cert error pages coming up - https://bugzilla.mozilla.org/show_bug.cgi?id=756926. Debate over colors of the buttons.
Network error: http://screencast.com/t/GincXyxP5 Certificate error: http://screencast.com/t/Xi4A8Oh2iFOq Phishing attack: http://screencast.com/t/4WzmjcH3 Malware attack: http://screencast.com/t/dB3grMJbw