SecurityEngineering/MeetingNotes/05-03-12

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-26-12

Apps Security/B2G Status

  • Lots of threads discussing this stuff (everywhere). Turns out the camera is the most complicated topic in the WebAPIs.
  • Converging to ery specific proposal
    • Permissions opt-in at runtime for trusted apps who need permissions aside from the implicitly provided permissions in trusted apps.
    • Some folks wanted "certified apps" (ones we sign) to be common, but Lucas argues that certification be reserved for special things like the dialer, the official "Settings" app, etc.
    • See WebAPI wiki page (https://wiki.mozilla.org/Webapi)
    • Users can choose permissions at install time, and permissions are granted at runtime and persisted. Users can later change the permissions if they wish, but once they're granted/rejected that choice is persisted. (Permission state may be represented by icons.)

Classes of webapps:

  1. untrusted (web page)
  2. installable (web page with a manifest)
  3. trusted (prompt user to allow certain api access like camera, contacts, etc)
  4. certified apps (extend OS, not common)

Much (if not all) of this is documented in the mail threads... but that's a lot of reading.

Roadmap Review

  • Privacy roadmap this week (https://wiki.mozilla.org/Privacy/Roadmap/2012)
  • Sid is still working Tanvi's awesome feedback into the roadmap
  • Sid is working on a new feature: setup a list of sites to be preloaded to be https by default
  • Checked with Google, they are OK with Aurora performance.
    • Next work on multiple cookie jars.
    • Only a few will remain P1, incuding shortened http referer header, cookie jars, per site third party cookie settins.
    • Hoping so simplyfy DNT for easier standarization.
    • Looking at several not so defined

Travel Stuff

  • B2G work week in San Diego next week.
  • May 22-24 HITB Amsterdam
  • Press tour in June (11th-ish)