From MozillaWiki
Jump to: navigation, search



  • Telemetry
  • Websockets
  • SecReview bug classes should be actionable
  • Block old versions of Java
  • Click-To-Play plugins
  • HTTP Pipelining
  • libcubeb 623444


  • respond in mail and follow-up with Taras [bsmith,sid,curtis]


dchan et al have completed a threat model:

  • meeting to be scheduled with Websockets team to follow-up

U+0020 bug 661036

Bugs from SecReviews

When we are reviewing a new feature, we want to make it clear which concerns are must-fix, etc. We can express our concerns as:

  • blocks-feature = You can't ship the feature until bug X is fixed.
    • usually, this means "blocks the feature from being enabled on aurora". but sometimes it will block landing on mozilla-central, or block being enabled on beta.
  • blocking N+1 = You can't ship the feature in a release until it's clear that the issue will at least be fixed in the following release. Enforcement: "when your feature merges to beta, it will be disabled on beta unless it has been fixed on mozilla-central".
  • future promise = You can't ship the feature until we see a promise/plan to look into this issue in the future.
    • But if the promise is broken, the security team is in the extremely awkward position of arguing to remove a feature between Firefox N and Firefox N+1, and we will probably back down.
    • We'll have to discuss this (in the abstract or specific cases) with the release team
  • best practice = non-binding guidance on what should be done

Block old versions of Java

  • allow current release only (?) -> yes
  • Use softblocking, people can re-enable but we will disable
  • [dveditz] to file a bug to make this happen
  • will need PR and other teams lined up for this as well

Click-to-Play Plugins

  • Chrome does this today for some plugins that are widely deployed on user machines but not widely used on web sites (shockwave, real player, Java, etc.)
    • user overrides: right-click -> enable once; per-site; global off-all-the-way; global on-all-the-way
  • implement per-site diabling as well as global, we are likely behind in this discussion
  • Should do -> details to be worked out

HTTP Pipelineing

  • we're working on it, but it's not a high priority
  • review could be contentious, where we can't tell if it is safe enough to enable
  • there are some interesting questions that need to be further looked at
  • how to find out which transparent proxies are common, and test attacks against those proxies?
  • origin servers can be buggy too


  • trying to land, we need to do a review
  • ping christophd to fuzz [dchan]