SecurityEngineering/MeetingNotes/06-14-12

Standing Agenda

• Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Suggest additions or changes to roadmaps
• Detailed discussion of features or outstanding issues as time permits
• Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/06-07-12

Security Roadmap

Any blockers, significant developments, questions/input from team?

• CA Pinning - not using permissions manager and we may need to build something else. Perhaps cert override service or something like that. Target is still FF 17.
• Click-to-play - blocked on UI design, nsObjectLoadingContent undergoing changes, main click-to-play patch under review
• iframe sandbox - will do another pass on review feedback etc tomorrow, still trying for FF16 if possible.
• low rights Firefox - addon compatibility is the biggest issue - need to get a POC up and try to determine amount of breakage - need to sync up with addon folks and see if we can find out how many addons expect arbitrary filesystem/registry access and to be able to launch new processes.
• Highlight Cleartext passwords - data needs validating; user research surveys need to be done. But working on other bugs instead to alert about security issues in Web Console -

https://bugzilla.mozilla.org/show_bug.cgi?id=737873 - blocks Mixed Content feature https://bugzilla.mozilla.org/show_bug.cgi?id=762593 - blocks this feature

Privacy Roadmap

No news is good news.

Additional Items

• Mixed Content. Which option do we select for FF14?
  • Current: Current FF13
  • Option 1
  • Option 2 (better picture here: https://msujaws.wordpress.com/2012/04/23/an-update-to-site-identity-in-desktop-firefox/comment-page-1/#comments )
  • Option 3

there's a consensus that we prefer 1 over 2.

• script vs display. What do you guys think?
  • Mixed script: TYPE_SCRIPT, TYPE_XMLHTTPREQUEST, TYPE_STYLESHEET, TYPE_OBJECT, TYPE_SUBDOCMENT, TYPE_WEBSOCKET
  • Mixed display: TYPE_IMAGE, TYPE_SUBDOCUMENT, TYPE_PING, TYPE_FONT, TYPE_MEDIA, TYPE_WEBSOCKET
  • Necko already blocks mixed websockets, so that case is probably redundant, but I didn't want people to wonder why it wasn't explicitly handled. websockets belong w/XHR. So does "Event Source"
  • Some load types, like TYPE_XBL and TYPE_REFRESH, didn't appear to make sense in this context, so I ignored them
  • TYPE_SUBDOCUMENT - should be MixedScript because it could contain references to scripts and contains inline scripts.
  • TYPE_WEBSOCKET - should be MixedScript. same as xhr.
  • TYPE_FONT - Fonts may have scripting in them, but they aren't run in page. So okay as mixed display.
  • TYPE_PING - if put ping in <a> tags. Can't talk to the page, etc.

• Changes to phishing, malware, and cert error pages coming up - https://bugzilla.mozilla.org/show_bug.cgi?id=756926. Debate over colors of the buttons.

Network error: http://screencast.com/t/GincXyxP5 Certificate error: http://screencast.com/t/Xi4A8Oh2iFOq Phishing attack: http://screencast.com/t/4WzmjcH3 Malware attack: http://screencast.com/t/dB3grMJbw