SecurityEngineering/MeetingNotes/06-28-12
From MozillaWiki
Goals
Goals rundown: we're doing pretty well with our Q2 goals !
Additional Items
- mobile online authentication/payment support for boot 2 gecko.
- are plugins allowed? no user installable plugins. some carriers may include plugins.
- why do they need/use plugins? what do plugins by them that the browser can't do?
- How can we move the banks off plugins onto something that's more portable?
- csp meta tag and sandbox directive
- sandbox directive in CSP 1.1 in a meta tag is disallowed due to spec language, but that might be a technicality
- It is hard to get the two features to work together - dynamically changing the sandboxing of a document becomes very confusing
- dveditz or tanvi will send mail to the working group about this to clarify whether the sandbox directive should be allowed in meta policy or not
- DNT
- sid was at the DNT working group meeting last week
- discussions are intense and ongoing
- afowler testified in front of the US Congress today [1]
Roadmaps
https://wiki.mozilla.org/Privacy/Roadmap/2012
- opt in activation for plugins
- Asa is going to talk to UX - we are blocked on UI from them
- need review. who should we ask? blocklist stuff (mossop maybe) and UI stuff (jared)
- Sign in to browser moving to P2
- iframe sandbox
- olli reviewing - then need jst or someone else to review. at risk for ff16, because merge coming up
- need to figure out how to make the build faster !
- Low-rights firefox
- Working build of firefox.exe linked with the chrome sandbox library
- now working on trying to spawn a target process in the sandbox
- continuing to work on the POC
- had a good conversation with Jesse about sandboxing in Servo
- need to discuss next steps with Lucas when he is back
- HSTS Preload List
- pending feedback from Sid.