SecurityEngineering/MeetingNotes/05-17-12

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/05-10-12

Security Roadmap

  • progress is being made !

Additional Items

  • Priorities in Roadmaps
  • Sandbox directive

According to the specification, being conformant requires supporting all of the specified directives. So it is not clear that its feasible for any UA to be conformant because there will not be two browsers that have support for all the directives. We believe having two browsers be totally conformant to CSP 1.0 is the right approach for developers, so that they know that a browser claiming to support CSP provides all of the directives in the 1.0 spec. In order to put the sandbox directive in 1.0, we would need to change the conformance text to not require support for all directives. Mozilla does not support changing this text since developers will be unsure what compliance with the specification means for different user agents.

  • Mixed Content Icons
    • Mixed Content Icon will be a gray traingle instead of yellow. Once we figure out the difference between mixed scritp and mixed display, we can consider a more yellow icon.
  • Intern Projects
    • Mixed Content - implement fix for 62178
    • User testing - mixed content UI, cleartext passwords UI, security preferences/settings UI
    • SSL validation extension point
    • HSTS Preload List