SecurityEngineering/MeetingNotes/08-23-12
From MozillaWiki
Standing Agenda
- Q3 Goals Recap -
- Implement security model for basecamp
- Achieve go / no-go for Firefox sandboxing
- Land "final" Click to Play experience (address correctness and UX)
- Ship CSP compliant with W3C 1.0 spec (also helps B2G)
- Lead security/privacy dev community event or workshop
- Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Additional Items
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/08-16-12
Goals
- [ON TRACK] Security Model for Basecamp
- work week next week in Brazil
- progress being made on permissions, including testing
- [ON TRACK] CSP 1.0 Compliance
- We've got a plan for how to support both existing (legacy) and new 1.0 CSP (both headers, two parsers).
- bug 783049 and bug 746978 are starting point and anchor blocks for the work
- Lots of little bugs to pick off, if you'd like them and want to volunteer, ping imelven/geekboy or look at dependencies of bug 737064
- [AT RISK] event/gathering for security/privacy
- Probably not gonna happen
- [ON TRACK] Click To Play
- a couple of bugs still open, but very very close to landing
- Almost entirely good with correctness bugs
- Next point is to do the UX -- working with shorlander to make it go
Roadmap
- [ON TRACK] Mixed Content Blocker
- comments on larissa's slides? on the actual text in the messages?
- I asked her to add an X in the top left of the dialog box, so users have a way to get out of it if they dont' realize they can click elsewhere. If there isn't anything else, i can tell her we are happy with it.
- mochitests for bug 62178 not done :( The tests fail with a timeout on the try server, and I'm not sure why yet. This probably won't land by Monday, so we'll have to push it to FF18. The bug adds two about:config options to block mixed active or mixed display content. Turned off by default. https://tbpl.mozilla.org/?tree=Try&rev=2c1c7a85e4af
- [ON TRACK] Process sandboxing
- have support from Asa to focus on Windows 8 Metro where we already need to figure out an approach for addons, which we also need to do for sandboxing
- going to talk to bsmedberg, jimm, and bbondy and start working on this
- [DONE] iframe sandbox
- LANDED in FF17
- working on a small followup (bug 752529), need input from bent and sicking
- still csp sandbox, allow-popups, automatic feature, 'allow-pointer-lock' to do..
- [ON TRACK] CA Pinning
- Will not land on 17
- Discovered bug on psm(pkix) so that breaks spdy when libpkix is enabled.
- Discovered local bug on certficate overrides.
- Waiting on reviews from bsmith, he is loaded up with B2G work
- NSS patch has been waiting for review for 5 weeks
Additional Items
- Updates from Security Assurance Work Week
- tanvi will give an update next week
- not sure what Yvan wanted to say - they are planning a 'Mozilla Security Conference' of some kind
- potential new roadmap item from sec assurance work week - universal xss - put csp on chrome pages - will discuss next week
- evangelizing roadmaps - how do communicate about the things we're working on?
- ian talked to johnath about this - his suggestion was : land them - and then talk/blog about them.
- tanvi - ran out of time at sec assurance work week for a talk on our roadmaps, but I plan to give it at one of their tuesday weekly meetings.
- raise visibility
- nominate people for friends of tree for doing cool stuff ?
- do voice updates at Monday meeting for cool things (that impact lots of people/are visible) we ship ?
- post on dev-security ? or other groups ?
- blog on User CSP
- Can we post it on https://blog.mozilla.org/security/ ?
- we totally should.
- Yeah, I'd read the heck out of it
- X-Content-Type-Options: nosniff
- we want to push a spec for this, abarth is on board with this
- Tom Schuster (evilpie) is going to take a crack at the spec
- Tom is still waiting to have a secreview scheduled - we need dveditz for this
- B2G trusted UI https://bugzilla.mozilla.org/show_bug.cgi?id=768943
- FTFY: =^..^= <- a cat