FirefoxOS/New security model/Meetings/2015-08-04 Notes
From MozillaWiki
< FirefoxOS | New security model | Meetings
Contents
Sprint 4, WW3 (Aug 3 - Aug 7)
- Time: 2015/8/4 (Tue), 2pm CST
- Place: B2G Vidyo
- Host: Paul Theriault
- Attendees: Jonas, Ken, Yoshi, Dimi, Henry, Ethan, Kan-Ru, Aaron, Jonathan
Announcement
In order to trace progress of NSec milestones, we have to set [Target Milestones] in NSec bugs, especially those with priority P1 and P2.
Aaron Wu will create a Wiki page to monitor NSec bug progress according to this field.
Status Update
Henry
- Bug 1188717 - Store necessary info to cache metadata for packaged web app
- waiting on advice from Honza/Valentin for next steps
- Bug 1185439 - Packaged apps needs to know the header of the multipart'ed content
- Bug 1181137 - Packaged Apps do not apply security headers
- We need to discuss this bug for signed packaged
- Process switch flow chart. Need further discussion with necko team and Kanru
Dimi
- NSec:
- Bug 1189235 - use originAttribute for ServiceWorkerRegistrar
- Service Worker:
- Bug 1187766 - Test loading plugins scenarios with fetch interception. r+
- Bug 1188822 - Make service-workers/service-worker/fetch-request-resources.https.html pass. on-going
Yoshi
- Bug 1165214 - DOMStorageManager should use origin for ScopeKey and QuotaKey. working on data-migration. v3
- Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying appid/browser. Working on Part 2 fix nsILoadContext
- Bug 1165277 - Use origin in SessionStorage.jsm. feedback+
- Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo. Listing dependencies.
Kanru
- Bug 1190245 - refactor nsFrameLoader.cpp in preparation of implementing process switch
- Bug 1170894 - Implement process switch (includes bug 1186843) and working out test plans
- Bug 1186843 - will be morphed into fix remaining message manager switch bugs after process switch
Ethan
- Bug 1163254 - Add signedPkg OriginAttribute for new Firefox OS security model (meta bug)
- Bug 1179985 - Make all Origin-Related APIs OriginAttributes-aware (meta bug)
- Bug 1165267 - Use cookieJar for nsCookieService
- Change in nsCookieKey or CookieService
- Use OriginAttribute in IndexedDB (seems no bug is filed yet)
- Bug 1165217 - Use origin attribute in nsIUsageCallback
Jonathan
- Bug 1178518 - Support for verifying signed packages
- Made a hook for necko
- Implementing verification using VerifySignedManifest in https://dxr.mozilla.org/mozilla-central/source/security/apps/AppSignatureVerification.cpp#843
- Thanks and please start a thread to discuss with keeler/rbarnes
- Sure.
Paul
- cookie
- what is the relationship between signed package origins and their host origin?
- does the signed package origin subsume the host origin (i.e. do cookies for the host domain show up in document.cookie inside package js)
- permission model
- looking at permissions to see if we can to latent permission granting in the future