FirefoxOS/New security model/Meetings/2015-08-11 Notes
From MozillaWiki
< FirefoxOS | New security model | Meetings
Contents
Sprint 5, WW4 (Aug 10 - Aug 14)
- Time: 2015/8/11 (Tue), 1pm CST
- Place: B2G Vidyo
- Attendees: Paul T., Ken Chang, Jonathan, Dimi, Yoshi, Winnie, Kan-Ru, Henry, Ethan, Aaron
Henry
- Bug 1188717 - Store necessary info to cache metadata for packaged web app
- waiting on advice from Honza/Valentin for next steps
- Bug 1185439 - Packaged apps needs to know the header of the multipart'ed content
- r+'d and flagged checkin-needed
- Bug 1181137 - Packaged Apps do not apply security headers
- landed
- Bug 1192783 - [PackagedAppService] Need a way to detach the outer channel listeners from the internal download task
- Might not be harmful. Just be pending at the moment.
- Bug 1178525 - Ensure the package is verified before content is served
- Creating PackageAppVerifier
- Got kind of agreement with necko team (necko only notifies a signed package is about to download) regarding process switch.
- Issue: We need the original HTTP response header for each resource for verification.(ACTION: discuss further offline)
Dimi
- Bug 1189235 - use originAttribute for ServiceWorkerRegistrar
- Bug 1191647 - Listen to clear-origin-data in ServiceWorkerManager.cpp
Yoshi
- Bug 1165214 - DOMStorageManager should use origin for ScopeKey and QuotaKey. 'Honza took it and he will finish the database migration.'
- Bug 1165277 - Use origin in SessionStorage.jsm. 'r+'
- Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying ** appid/browser. 'Fixing the test cases failuires, as Bobby suggests to add [builtin-class] to nsILoadContext, but lots of test cases in JS will inherit nsILoadContext.'
Questions:
- Bug 1165217 - Use origin attribute in nsIUsageCallback. r? has sent to Jan Verga for 1 month.
- Bugs owned by Honza, no status recently.
- Bug 1165256 - use origin for app_cache
- Bug 1165269 - Use origin for http cache
Kan-Ru
- Bug 1170894 - WIP patch for process switching. Got feedback+s from smaug and billm.
Ethan
- Bug 1165267 - Use OriginAttributes for nsCookieService
- The plan is to abstract |appId + inBrowserElement| by nsIPrincipal.originAttributes.
- We must change nsCookieKey::KeyEquals() and HashKey().
- We must change query for cookies to not to count on appId.
- TBD: Internal use of appId and in BrowserElement in nsCookieService implementation.
- TBD: How to deal with Safebrowsing?
- Paul: We cannot get rid of appId in 2.5.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1165267#c5
- Look into nsCookieService: https://goo.gl/7H2RPI
Jonathan
- Bug 1178518 - Support for verifying signed packages
- Done
- Implementing verifyManifest()
- To-do
- Adding an AppTrustedRoot PrivilegedPackageAppRoot to X509CertDB?
- checkIntegrity()
- Testing -> may need signing tool
- Determine what the signing tool should look like
- Done
Paul
Aaron
- Step 1: review all the bugs on : https://wiki.mozilla.org/FirefoxOS/New_security_model#Implementation
- Step 2: Make sure all the bugs have marked "Target Milestone" and will go into Scrum Status Wiki : https://wiki.mozilla.org/FirefoxOS/New_security_model/FxOS_2.5_Scrum
- Step 3: Need to review your own bugs which able to complete by the target milestone you assigned, if any risk please raise up and we can discuss and re-prioritize.