SecurityEngineering/MeetingNotes/12-20-12
From MozillaWiki
Contents
Q4 Goals
- [ON TRACK] Land CSP 1.0
- [ON TRACK] Deliver integrated Payments and ID for B2G
- [DONE] Host security community event (public brownbag on 11/13)
2013 Planning/Roadmap
- January 14-18, in MV (maybe some in SF)
Third Party Cookies
- Jonathan Mayer has written a patch and is working towards implementing Safari's 3rd party cookie policy for Gecko
- https://bugzilla.mozilla.org/show_bug.cgi?id=818340
- blogpost: http://webpolicy.org/2012/02/17/safari-trackers/
- would we want this on for everyone by default or opt in ?
- risk of breakage ? would obv. be broken in Safari as well...
- Unless Safari has some undocumented "user-interaction" heuristics that unbreak sites this doesn't
- maybe land with a pref and let people try it out on Nightly ?
- risk of breakage ? would obv. be broken in Safari as well...
- Allow reading/writing cookies from sites you have previously visited (or already have cookies from).
- Or maybe just allow reading cookies (and not writing to them) if that is possible without breaking sites.
- Compatibility issues? Websites making exceptions for safari User Agents to work around their cookie policy, these won't work for Firefox.
- This sounds like something that needs telemetry.
- Test Pilot
User Control of Referer
- Bug 822869 - Expand user options and limit default behavior for sending of HTTP referers
- https://bugzilla.mozilla.org/show_bug.cgi?id=822869
- bug has an attached "High-level document outlining referrer privacy issues and use cases"
- what do we think ? right now the proposal is a pref that a user has to opt in to
Site Identity Messages
Mixed Content - Written Update Only
Needed to land in FF20:
- Bug 782654 - Implement Mixed Content Blocker New Icon - Backend Changes - Landed.
- Bug 822366 - Implement Mixed Content Blocker New Icon - Frontend Changes - Done but not landed.
- Bug 822367 - Implement Mixed Content Blocker Doorhanger - Backend Changes - In progress, but stuck right now.
- Bug 822371 - Implement Mixed Content Blocker Doorhanger - Frontend Changes - In progress. Need help from Stephen and a Frontend Engineer.
After FF 20:
- Bug 822373 - Learn More pages for Mixed Content Blocker - Michael Verdi and Larissa helping
- Telemetry (maybe uplift)
- Web console/Error console
- And a list of edge cases to deal with
10 Points for Gryffindor!
(see Ian's meeting announcement email)