FirefoxOS/New security model/Meetings/2015-08-25 Notes

From MozillaWiki
Jump to: navigation, search

Weekly Status Update

Dimi Lee

  • Work on Serviceworker, nothing related to NSec last week
  • Will start to work on Bug 1178526 - Set appropriate origin attributes for signed packages

Ethan Tseng

  • Bug 1165267 - Use OriginAttributes for nsCookieService
    • Upload a WIP patch to remove |appId| and |inBrowserElement| as cookie key
    • The only cookie key is |baseDomain|
    • Investigate internal data format of cookie (DB, hashtable and cookie list, ..., etc.)
    • Make an implementation plan (thanks to Henry!) - reduce cookie DB records within the same domain while DB migration
    • Paul: I assume this doesn't help?
    • https://bugzilla.mozilla.org/show_bug.cgi?id=1165267#c4
  • Bug 1181031 - Shared Cookie Jar

Henry Chang

  • Bug 1178525 - Ensure the package is verified before content is served
    • f+ by Valentin
    • Ideally should land after Bug 1178518 but only 2 weeks from milestone 1...
  • Bug 1186290 - Notify TabParent to switch process when a signed packaged is loading from different origin.
    • Works for most of the cases on both desktop browser and B2G with the following issues:
      • Need to deal with system XHR. May use "nsILoadInfo.securityFlags | SEC_SANDBOXED" to check.
      • Need to refresh the browser (like hide/show the menu bar) to get the content showed. (desktop)
      • Tab title keeps showing "Connecting"

Jonathan Hao

  • Bug 1178518 - Support for verifying signed packages
    • Finally verifying the output of signing tool successfully (thanks to discussion with Dimi)
    • Preparing to be reviewed
    • Created PrivilegedPackageRoot in nsIX509CertDB
    • Its private key is in my local machine, so only I can sign packages now.
  • TODO: a signed package generator
  • Can we reuse security/apps/marketplace-dev-public.crt?

Kan-Ru Chen

  • Investigating how to manipulate Session History. Need to remove the "about:blank" page after switching back.
  • Discovered a issue that we need to identify a TabParent not only using the URL but also the TabId. Otherwise we might use a wrong TabParent that has the same URL but in different session history.

Yoshi Huang

  • Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager. landed
  • Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying appid/browser. r? sent on 8/24
  • Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo. r?
  • Bug 1196652 - OriginSuffix is shown in about:serviceworker on b2g. ongoing

Aaron Wu (EPM)

  • Milestone 1 target (Sept 4, S6)
    • Signing
      • Tools for developers to make and sign packages
    • Verification
      • Add necko hooks for signature verification. Check package location
      • Implement signature checking (stretch goal)sd
    • CSP
      • Move to milestone 2-> Apply default CSP to signed package and add tests for CSP.
    • Process Isolation
      • Basic process switching (no session restore)
    • Installation & Update
      • Implement cache-pinning for packages.
      • Register permissions/ system messages on install & register web activities on pinning
    • Service Workers
      • Determine implementation strategy
    • Origin & Cookie Jars
      • Implement SignedPKG origin attribute. Make progress on refactoring gecko to use origin exclusively.
  • Scrum Status for S5 review and S6 planning
Retrieved from "https://wiki.mozilla.org/index.php?title=FirefoxOS/New_security_model/Meetings/2015-08-25_Notes&oldid=1091991"