- SecReview bug classes should be actionable
- Block old versions of Java
- Click-To-Play plugins
- HTTP Pipelining
- libcubeb 623444
- respond in mail and follow-up with Taras [bsmith,sid,curtis]
dchan et al have completed a threat model: https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/WebSockets
- meeting to be scheduled with Websockets team to follow-up
U+0020 bug 661036
Bugs from SecReviews
When we are reviewing a new feature, we want to make it clear which concerns are must-fix, etc. We can express our concerns as:
- blocks-feature = You can't ship the feature until bug X is fixed.
- usually, this means "blocks the feature from being enabled on aurora". but sometimes it will block landing on mozilla-central, or block being enabled on beta.
- blocking N+1 = You can't ship the feature in a release until it's clear that the issue will at least be fixed in the following release. Enforcement: "when your feature merges to beta, it will be disabled on beta unless it has been fixed on mozilla-central".
- future promise = You can't ship the feature until we see a promise/plan to look into this issue in the future.
- But if the promise is broken, the security team is in the extremely awkward position of arguing to remove a feature between Firefox N and Firefox N+1, and we will probably back down.
- We'll have to discuss this (in the abstract or specific cases) with the release team
- best practice = non-binding guidance on what should be done
Block old versions of Java
- allow current release only (?) -> yes
- Use softblocking, people can re-enable but we will disable
- [dveditz] to file a bug to make this happen
- will need PR and other teams lined up for this as well
- Chrome does this today for some plugins that are widely deployed on user machines but not widely used on web sites (shockwave, real player, Java, etc.)
- user overrides: right-click -> enable once; per-site; global off-all-the-way; global on-all-the-way
- implement per-site diabling as well as global, we are likely behind in this discussion
- Should do -> details to be worked out
- we're working on it, but it's not a high priority
- review could be contentious, where we can't tell if it is safe enough to enable
- there are some interesting questions that need to be further looked at
- how to find out which transparent proxies are common, and test attacks against those proxies?
- origin servers can be buggy too
- trying to land, we need to do a review
- ping christophd to fuzz [dchan]