SecurityEngineering/MeetingNotes/08-16-12

Q3 Goals recap

Sounds like we're doing pretty well so far.

Not really any updates from previously -- discussions still going on
This is being socialized
Need a story around add-ons - very difficult to get the data to answer the actual question: how many users will sandboxing break ?
What about Java? We don't have full content processes, so this makes it a bit harder with Java. Lots of work to cross process boundaries
Keeler ratholes on this particular thing. See http://www.stanford.edu/class/cs240/readings/usenix2002-fibers.pdf for the kind of thing he was talking about.
The roll-out strategy is hard ... might be worthwhile doing a gradual roll-out on one platform first or something.
Ian and Lucas to continue spearhead a plan-making synergy
Ian wants to hack on the POC to get more insight

keeler would appreciate an escalation for this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=778365
- This would give us the ability to actually deploy a blocklist with the click-to-play stuff (AMO bug for updating the web interface)
- All the other super-hard blockers for c2p are landing soon
- please help with traction/progress on this

Ian filed a slew of bugs to help us with landing strategery
how to approach it ?
- supporting both headers, with a timeline for deprecation
- lots of bugs to fix still to hit Q3 goal
- want to deprecate old header and have a timeline for doing so, this should be lined up with the ESR cycle

SecAssure is talking about throwing a mozilla security conference
- Kind of like bsides (or actually with the B-Sides people)
We're thinking more like a brown bag or workshop
We still want to do some sort of gathering at SF or MV office this quarter (but no plan yet)
- We could try to get various security community folks together to talk about web security standards (DNT, CSP, WebCrypto, Different HTTPS trust models, etc)

they have permissions etc

iframe sandbox will land as soon as https://bugzilla.mozilla.org/show_bug.cgi?id=781126 lands (Any Day Now)
hsts preload - should land soon
CA pinning -- tests are almost ready (problems on Try and windows), blocked on review
Mixed Content Blocking -- mixed content blocking HARD due to UI. Really close, may make 17
- https://bugzilla.mozilla.org/show_bug.cgi?id=782654 - bug for UI
- Sounds like we've reached a reasonable direction on UI, working on landing plan. UI targeted for 18, the back-end for 17.
Per Site 3rd Party cookies - blocked by refactoring cookie service, we want this to land first
- we will ping jason again

XSS Filter Update
- talked to jst - have a clear path to landing
- still significant work - talked about how to determine performance hit and criteria to land
- need to rework callbacks - this isn't to avoid perf hits but to minimize the chance of someone forgetting to add the XSS filter check at every callsite
- might tie in with CSP 1.0 work, using that to drive the service/registered policy work ?
SSL Telemetry
- there is data from https://bugzilla.mozilla.org/show_bug.cgi?id=767676
- what next ? there are more patches/bugs - also do we need to tweak what we collect ?
- https://bugzilla.mozilla.org/show_bug.cgi?id=707275 <- would be awesome to finish - MOAR DATA
X-Content-Type-Options
- abarth has offered to help us draft a spec and has encouraged us to do so !
- trying to get security assurance team to schedule a secreview with tom to get input from them, although maybe it's best to gather this as part of the spec discussion on whatever mailing list we decide to pursue it (IETF or WebAppSec)
- see thread on team lists for more details
servo and sandboxing
- talked to jst about this
- servo work week in MV next week - going to go chat to the Servo folks