SecurityEngineering/MeetingNotes/12-20-12

From MozillaWiki
Jump to: navigation, search

Q4 Goals

  • [ON TRACK] Land CSP 1.0
  • [ON TRACK] Deliver integrated Payments and ID for B2G
  • [DONE] Host security community event (public brownbag on 11/13)

2013 Planning/Roadmap

  • January 14-18, in MV (maybe some in SF)

Third Party Cookies

  • Jonathan Mayer has written a patch and is working towards implementing Safari's 3rd party cookie policy for Gecko
  • https://bugzilla.mozilla.org/show_bug.cgi?id=818340
  • blogpost: http://webpolicy.org/2012/02/17/safari-trackers/
  • would we want this on for everyone by default or opt in ?
    • risk of breakage ? would obv. be broken in Safari as well...
      • Unless Safari has some undocumented "user-interaction" heuristics that unbreak sites this doesn't
    • maybe land with a pref and let people try it out on Nightly ?
  • Allow reading/writing cookies from sites you have previously visited (or already have cookies from).
    • Or maybe just allow reading cookies (and not writing to them) if that is possible without breaking sites.
  • Compatibility issues? Websites making exceptions for safari User Agents to work around their cookie policy, these won't work for Firefox.
  • This sounds like something that needs telemetry.
  • Test Pilot

User Control of Referer

  • Bug 822869 - Expand user options and limit default behavior for sending of HTTP referers
  • https://bugzilla.mozilla.org/show_bug.cgi?id=822869
  • bug has an attached "High-level document outlining referrer privacy issues and use cases"
  • what do we think ? right now the proposal is a pref that a user has to opt in to

Site Identity Messages

Mixed Content - Written Update Only

Needed to land in FF20:

  • Bug 782654 - Implement Mixed Content Blocker New Icon - Backend Changes - Landed.
  • Bug 822366 - Implement Mixed Content Blocker New Icon - Frontend Changes - Done but not landed.
  • Bug 822367 - Implement Mixed Content Blocker Doorhanger - Backend Changes - In progress, but stuck right now.
  • Bug 822371 - Implement Mixed Content Blocker Doorhanger - Frontend Changes - In progress. Need help from Stephen and a Frontend Engineer.

After FF 20:

  • Bug 822373 - Learn More pages for Mixed Content Blocker - Michael Verdi and Larissa helping
  • Telemetry (maybe uplift)
  • Web console/Error console
  • And a list of edge cases to deal with

10 Points for Gryffindor!

(see Ian's meeting announcement email)