SecurityEngineering/MeetingNotes/08-16-12

From MozillaWiki
Jump to: navigation, search

Q3 Goals recap

Sounds like we're doing pretty well so far.

[ON TRACK] Basecamp security model

  • Gotta wrap up data jars and permissions
  • Updates
  • Filing down the sharp corners, but on track.

[ON TRACK] Sandboxing

  • Not really any updates from previously -- discussions still going on
  • This is being socialized
  • Need a story around add-ons - very difficult to get the data to answer the actual question: how many users will sandboxing break ?
  • What about Java? We don't have full content processes, so this makes it a bit harder with Java. Lots of work to cross process boundaries
  • Keeler ratholes on this particular thing. See http://www.stanford.edu/class/cs240/readings/usenix2002-fibers.pdf for the kind of thing he was talking about.
  • The roll-out strategy is hard ... might be worthwhile doing a gradual roll-out on one platform first or something.
  • Ian and Lucas to continue spearhead a plan-making synergy
  • Ian wants to hack on the POC to get more insight

[ON TRACK] Click to play experience

  • keeler would appreciate an escalation for this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778365
    • This would give us the ability to actually deploy a blocklist with the click-to-play stuff (AMO bug for updating the web interface)
    • All the other super-hard blockers for c2p are landing soon
    • please help with traction/progress on this

[AT RISK] CSP 1.0 compliance

  • Ian filed a slew of bugs to help us with landing strategery
  • how to approach it ?
    • supporting both headers, with a timeline for deprecation
    • lots of bugs to fix still to hit Q3 goal
    • want to deprecate old header and have a timeline for doing so, this should be lined up with the ESR cycle

[AT RISK] Community event

  • SecAssure is talking about throwing a mozilla security conference
    • Kind of like bsides (or actually with the B-Sides people)
  • We're thinking more like a brown bag or workshop
  • We still want to do some sort of gathering at SF or MV office this quarter (but no plan yet)
    • We could try to get various security community folks together to talk about web security standards (DNT, CSP, WebCrypto, Different HTTPS trust models, etc)

Roadmap Updates

  • ddahl is making good headway on permissions stuff - allowing APIs to check

they have permissions etc

  • iframe sandbox will land as soon as https://bugzilla.mozilla.org/show_bug.cgi?id=781126 lands (Any Day Now)
  • hsts preload - should land soon
  • CA pinning -- tests are almost ready (problems on Try and windows), blocked on review
  • Mixed Content Blocking -- mixed content blocking HARD due to UI. Really close, may make 17
  • Per Site 3rd Party cookies - blocked by refactoring cookie service, we want this to land first
    • we will ping jason again

Additional agenda stuff

  • XSS Filter Update
    • talked to jst - have a clear path to landing
    • still significant work - talked about how to determine performance hit and criteria to land
    • need to rework callbacks - this isn't to avoid perf hits but to minimize the chance of someone forgetting to add the XSS filter check at every callsite
    • might tie in with CSP 1.0 work, using that to drive the service/registered policy work ?
  • SSL Telemetry
  • X-Content-Type-Options
    • abarth has offered to help us draft a spec and has encouraged us to do so !
    • trying to get security assurance team to schedule a secreview with tom to get input from them, although maybe it's best to gather this as part of the spec discussion on whatever mailing list we decide to pursue it (IETF or WebAppSec)
    • see thread on team lists for more details
  • servo and sandboxing
    • talked to jst about this
    • servo work week in MV next week - going to go chat to the Servo folks