FirefoxOS/New security model/Meetings/2015-08-11 Notes

Sprint 5, WW4 (Aug 10 - Aug 14)

• Time: 2015/8/11 (Tue), 1pm CST
• Place: B2G Vidyo
• Attendees: Paul T., Ken Chang, Jonathan, Dimi, Yoshi, Winnie, Kan-Ru, Henry, Ethan, Aaron

Henry

• Bug 1188717 - Store necessary info to cache metadata for packaged web app
  • waiting on advice from Honza/Valentin for next steps
• Bug 1185439 - Packaged apps needs to know the header of the multipart'ed content
  • r+'d and flagged checkin-needed
• Bug 1181137 - Packaged Apps do not apply security headers
  • landed
• Bug 1192783 - [PackagedAppService] Need a way to detach the outer channel listeners from the internal download task
  • Might not be harmful. Just be pending at the moment.
• Bug 1178525 - Ensure the package is verified before content is served
  • Creating PackageAppVerifier
  • Got kind of agreement with necko team (necko only notifies a signed package is about to download) regarding process switch.
  • Issue: We need the original HTTP response header for each resource for verification.(ACTION: discuss further offline)

Dimi

• Bug 1189235 - use originAttribute for ServiceWorkerRegistrar
• Bug 1191647 - Listen to clear-origin-data in ServiceWorkerManager.cpp

Yoshi

• Bug 1165214 - DOMStorageManager should use origin for ScopeKey and QuotaKey. 'Honza took it and he will finish the database migration.'
• Bug 1165277 - Use origin in SessionStorage.jsm. 'r+'
• Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying ** appid/browser. 'Fixing the test cases failuires, as Bobby suggests to add [builtin-class] to nsILoadContext, but lots of test cases in JS will inherit nsILoadContext.'

Questions:

• Bug 1165217 - Use origin attribute in nsIUsageCallback. r? has sent to Jan Verga for 1 month.
• Bugs owned by Honza, no status recently.
• Bug 1165256 - use origin for app_cache
• Bug 1165269 - Use origin for http cache

Kan-Ru

• Bug 1170894 - WIP patch for process switching. Got feedback+s from smaug and billm.

Ethan

• Bug 1165267 - Use OriginAttributes for nsCookieService
  • The plan is to abstract |appId + inBrowserElement| by nsIPrincipal.originAttributes.
  • We must change nsCookieKey::KeyEquals() and HashKey().
  • We must change query for cookies to not to count on appId.
  • TBD: Internal use of appId and in BrowserElement in nsCookieService implementation.
  • TBD: How to deal with Safebrowsing?
  • Paul: We cannot get rid of appId in 2.5.
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1165267#c5
• Look into nsCookieService: https://goo.gl/7H2RPI

Jonathan

• Bug 1178518 - Support for verifying signed packages
  • Done
    • Implementing verifyManifest()
  • To-do
    • Adding an AppTrustedRoot PrivilegedPackageAppRoot to X509CertDB?
    • checkIntegrity()
    • Testing -> may need signing tool
    • Determine what the signing tool should look like

Paul

Aaron

• Step 1: review all the bugs on : https://wiki.mozilla.org/FirefoxOS/New_security_model#Implementation
• Step 2: Make sure all the bugs have marked "Target Milestone" and will go into Scrum Status Wiki : https://wiki.mozilla.org/FirefoxOS/New_security_model/FxOS_2.5_Scrum
• Step 3: Need to review your own bugs which able to complete by the target milestone you assigned, if any risk please raise up and we can discuss and re-prioritize.