SecurityEngineering/MeetingNotes/12-27-12
From MozillaWiki
Standing Agenda
- Q4 Goals Recap
- Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Additional Items
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/12-20-12
Q4 Goals
- [ON TRACK] Land CSP 1.0
- [ON TRACK] Deliver integrated Payments and ID for B2G
- [DONE] Host security community event (public brownbag on 11/13)
Mixed Content Regression
- Suppose you have an http page with https mixed content iframe. User has pref set to block mixed content.
- Block the http content on the https iframe?
- Allow the http content on the https iframe?
- What should the UI look like?
- Override doorhanger?
- Mixed Content Triangle Icon?
- Site Identity Text?
- Thoughts:
- Check what other browsers do.
- Doesn't make sense to talk about mixed content on an http page.
- Added difficulty in explaining to the user that you are blocking mixed content in a subframe - how will people understand that
- In the other case :
- If have https page with https framed site. Allowing mixed content should only allow mixed content on the top level page. Why not allow it on the iframe as well?
- If the framed ssl page and that page has mixed content on it, it is vulerable already.
- If sites are worried about this they can send X-Frame-Options. If the site already has mixed content issues, framing it doesn't make it much worse.
- But suppose your mixed content page works okay without the mixed content loaded, but attacker.com looks terrible without allowing mixed content. Attacker.com could trick you into allowing mixed content on their page and their framed mixed content page. --> Wait. No they couldn't. Since mixed content doesn't make sense on http://attacker.com and the doorhanger would never show up.
- https://bugzilla.mozilla.org/show_bug.cgi?id=824871
Get-Together Planning
- What things would we like to discuss or meet about in January while we're all in one place? Categories: learn, plan, hack
- (plan) CSP 1.1 and beyond - what do we want to support? (bring in dveditz on this)
- (learn) Mentorship program (yvan, university affiliation, project brainstorming)
- (plan) Conference & speaking planning
- (plan/learn) How our cookie backend/frontend look, brainstorm directions for improvement (both overview and planning the future)
- (plan/learn) Sandboxing -- the plan & strategy
- (plan) NSS/PSM/SSL work, prioritization, needs, etc
- (plan) roadmap blender party
- what we would like to see happen
- planning and resourcing our large projects our team will do (at a high level)
- Rework content policy? (request from Jonas et al) see https://groups.google.com/forum/#!topic/mozilla.dev.platform/veLFoy09ydg/discussion
- (learn) Add-on brain-dump/tutorial
- (learn) Collusion brain dump
- (learn) Firefox roadmap -- dump from someone on Fx team (?)
- (learn) b2g roadmap (lucas)
- (learn) privacy team plans for 2013 (alex or stacy maybe?)
- (learn/plan) contextual identity plan
- (hack) half day on knocking off a few of the roadmap items - maybe right after the blender session (e.g., CSRF blocker, Telemetry patches)
- Track jacket party
- Wednesday, January 16th, 12:00 - Brown Bag on "Designing Meaningful Security and Privacy Experiences (in a world where nobody cares?)" - https://bugzilla.mozilla.org/show_bug.cgi?id=817347