TPE SecEng/2016 Q2 Deliverables

From MozillaWiki
Jump to: navigation, search

Summary

Shipped Features

  • Shipped in Firefox 49
    • Security for GoFaster - Enforce CSP for Remote New Tab [bug 1251152]
  • Shipped in Firefox 50
    • [P9] Support Containers (browsing session/data isolation) / Tor Integration - Land OriginAttributes in platform [meta bug 1179985]
    • Support web-site opt-in to better privacy by enabling per-element Referrer Policies [bug 1223838]
  • Shipped in Firefox Nightly 50
    • [P9] Contextual Identity (Containers) [meta bug 1191418]

Resolved Bugs

Totally 81 bugs were resolved in Q2, 2016.

Deliverables by Engineer

Dimi Lee

  • Add support for v4 SafeBrowsing (refactoring work for SB v2 which will also benefit SB v4)
    • meta bug bug 1167038 - Add support for version 4 of the Safe Browsing protocol
    • bug 1033450 - consolidate safebrowsing prefs in all.js
    • bug 1254766 - Stop caching Safe Browsing completions to disk
    • bug 1272239 - Support completion for test database
  • Improve SafeBrowsing v2 stability (focus on P2 bugs)
    • bug 1172688 - Add telemetry for when gethash calls timeout
    • bug 1262406 - Track element doesn't use the URL classifier
    • bug 1264169 - test_classifier.html doesn't remove url added to malware database when finish
    • bug 1264829 - test_classifier.html doesn't really test unwanted.example.com
    • bug 1274105 - Refactor classifierHelper.js
  • Fix security backlog bugs
    • bug 1148732 - (CVE-2015-4483) feed: protocol + POST method => mixed scripting
    • bug 1258033 - Fix the DNT loophole for tracking protection


Henry Chang

  • Finalize remote-newtab CSP enforcement
    • bug 1251152 - Implement Content Security Policy (CSP) for remote newtab
  • Fix security backlog bugs
    • bug 1093642 - e10s - Fix browser_bug906190.js to work in e10s mode
    • bug 1269426 - browser_bug906190.js in e10s mode would have memory leak
    • bug 914860- Persist "disable protection" option for Mixed Content Blocker in child tabs for 302 redirects
  • Refactor listmanager for SafeBrowsing v4 integration
    • Meta bug bug 1264885 - Refactor the listmanager to add support for both V2 an V4 of the protocol
    • bug 1037555 - safebrowsing listmanager needs a unittest
  • SafeBrowsing test cases (focus on listmanager and hashcompleter)
    • bug 1037555 - safebrowsing listmanager needs a unittest
    • bug 1274223 - Test if nsUrlClassifierHashCompleter.js sends expected completion request
  • SafeBrowsing v4 development
    • Meta bug: bug 1167038 - Add support for version 4 of the Safe Browsing protocol
    • bug 1275198 - Add SafeBrowsing v4 protobuf related files
    • bug 1273395 - Add preference for Safe Browsing v2/v4 switch


Jonathan Hao

  • Clear all OriginAttributes backlog bugs for Firefox Nightly 50 (platform support for Containers)
    • bug 1260915 - ServiceWorkerManager needs to handle userContextId correctly (resolved won’t fix)
    • bug 1259871 - BackgroundUtils ignores origin attributes when app ID is unknown
    • bug 1260907 - nsGlobalWindow needs to handle user context id correctly
    • bug 1214071 - Add APIs get/removeCookiesWithOriginAttributes() in nsICookieManager2.idl
    • bug 1260915 - Write a test to make sure Service Worker handle userContextId correctly
    • bug 1268803 - Make sure BroadcastChannel are separated by userContextId
  • Fix bugs for the Containers project
    • bug 1269660 - Fix incorrect usages of SpecialPowers.pushPrefEnv in existing contextual identity browser tests
    • bug 1271792 - Regression: mozilla::dom::TabChild::RecvSwappedWithOtherRemoteLoader crash when moving container tabs
    • bug 1280006 - Backout image cache double-key
    • bug 1275485 - Regression: can't close container that have been separated from the main window (can't close fx either and need to kill process)
  • Security backlog bugs
    • bug 1241634 - Intermittent test_frameNavigation.html | navigating to insecure grandchild iframe blocked on insecure page
    • bug 1270980 - Intermittent browser_broadcastchannel.js | Uncaught exception - at :0 - Error: operation not possible on dead CPOW | Found an unexpected tab at the end of test run: empty_file.html


Thomas Nguyen

  • Add support to referrer policy in link element
  • Enable referrer policy attribute by default
    • The target ship bug is Bug 1223838 - Enable perElementReferrer by default, which depends on:
    • bug 1168540 - W3C referrer policy tests (almost done; blocked by test machine issues)
    • bug 1260664 - W3C Reflect referrerPolicy as a limited enumerated attribute.
    • bug 1261003 - W3C referrerpolicy content attribute doesn't work in FF
    • bug 1261298 - W3C referrer policy attribute is not passed to image
    • bug 1270050 - W3C origin-when-crossorigin vs origin-when-cross-origin
  • Take and resolve one or two SafeBrowsing starter bugs as preparation for engaging in SafeBrowsing project
    • bug 1025965 - Rename browser.safebrowsing.enabled to browser.safebrowsing.phishing.enabled


Tim Huang

  • Finish OriginAttrbiutes bugs for the Containers project
    • bug 1237913 - link checker for new tab page needs to use the correct user context id origin attributes
    • bug 1237915 - devtools storage interface needs to use the correct user context id when opening indexdb connections
    • bug 1238182 - extensions need to use origin attributes correctly.
    • bug 1262813 - Listing indexedDB from a javascript: iframe fails with TypeError
    • bug 1237916 - Webapps.jsm code needs to properly handle the user context id along with the app id.
    • bug 1260917 - Sandbox needs to handle userContextId correctly.
    • bug 1260921 - HttpChannelParent::DoAsyncOpen needs to handle userContextId correctly
    • bug 1267910 - Make the API add() and getCookiesFromHost() of the nsICookieManager2 OriginAttributes-aware
    • bug 1238183 - ForgetAboutSite needs to forget about a site for all user context ids, not just usercontextid 0
    • bug 1250983 - Add mochitest to ensure the "Forget" button correctly deletes all data from all user contexts.
    • bug 1260906 - StorageDirectoryHelper need to do the right thing with user context id origin attribute
    • bug 1262813 - Listing indexedDB from a javascript: iframe fails with TypeError
    • bug 1270423 - The nsICookieManager.remove() does not reference originAttributes at release build.
    • bug 1270678 - Make sure favicon requests obey OriginAttributes
    • bug 1235667 - PermissionsUtils.jsm needs to stop using createCodebasePrincipalFromOrigin
    • bug 1280863 - popup permissions do not apply to containers and can't be changed to to the same value as default


Yoshi Huang

  • Origin Attributes for the Containers project
    • bug 1263496 - Create null principal with correct origin attributes
    • bug 1266022 - Assertion failure: originAttrsLoadInfo.mUserContextId == originAttrsLoadContext.mUserContextId
    • bug 1250033 - DocShell shouldn't have any child when setting userContextId
    • bug 1250063 - mContentViewer shouldn't load any document except for about:blank when setting origin attributes on the docshell
  • UserContextId (frontend) for the Containers project
    • bug 1237077 - drag and drop handlers need to use the proper user context id
    • bug 1274461 - Regression: Session Restore not restoring containers
  • Technical sharing to team members
    • Engineering workflow
    • Bugzilla tips
Retrieved from "https://wiki.mozilla.org/index.php?title=TPE_SecEng/2016_Q2_Deliverables&oldid=1138420"