SecurityEngineering/MeetingNotes/08-23-12

Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
Suggest additions or changes to roadmaps
Detailed discussion of features or outstanding issues as time permits
Additional Items
Upcoming events, OOO/travel, etc.

[ON TRACK] Security Model for Basecamp
- work week next week in Brazil
- progress being made on permissions, including testing
[ON TRACK] CSP 1.0 Compliance
- We've got a plan for how to support both existing (legacy) and new 1.0 CSP (both headers, two parsers).
- bug 783049 and bug 746978 are starting point and anchor blocks for the work
- Lots of little bugs to pick off, if you'd like them and want to volunteer, ping imelven/geekboy or look at dependencies of bug 737064
[AT RISK] event/gathering for security/privacy
- Probably not gonna happen
[ON TRACK] Click To Play
- a couple of bugs still open, but very very close to landing
- Almost entirely good with correctness bugs
- Next point is to do the UX -- working with shorlander to make it go

[ON TRACK] Mixed Content Blocker
- comments on larissa's slides? on the actual text in the messages?
- I asked her to add an X in the top left of the dialog box, so users have a way to get out of it if they dont' realize they can click elsewhere. If there isn't anything else, i can tell her we are happy with it.
- mochitests for bug 62178 not done :( The tests fail with a timeout on the try server, and I'm not sure why yet. This probably won't land by Monday, so we'll have to push it to FF18. The bug adds two about:config options to block mixed active or mixed display content. Turned off by default. https://tbpl.mozilla.org/?tree=Try&rev=2c1c7a85e4af
[ON TRACK] Process sandboxing
- have support from Asa to focus on Windows 8 Metro where we already need to figure out an approach for addons, which we also need to do for sandboxing
- going to talk to bsmedberg, jimm, and bbondy and start working on this
[DONE] iframe sandbox
- LANDED in FF17
- working on a small followup (bug 752529), need input from bent and sicking
- still csp sandbox, allow-popups, automatic feature, 'allow-pointer-lock' to do..
[ON TRACK] CA Pinning
- Will not land on 17
- Discovered bug on psm(pkix) so that breaks spdy when libpkix is enabled.
- Discovered local bug on certficate overrides.
- Waiting on reviews from bsmith, he is loaded up with B2G work
- NSS patch has been waiting for review for 5 weeks

Updates from Security Assurance Work Week
- tanvi will give an update next week
- not sure what Yvan wanted to say - they are planning a 'Mozilla Security Conference' of some kind
- potential new roadmap item from sec assurance work week - universal xss - put csp on chrome pages - will discuss next week
evangelizing roadmaps - how do communicate about the things we're working on?
- ian talked to johnath about this - his suggestion was : land them - and then talk/blog about them.
- tanvi - ran out of time at sec assurance work week for a talk on our roadmaps, but I plan to give it at one of their tuesday weekly meetings.
- raise visibility
- nominate people for friends of tree for doing cool stuff ?
- do voice updates at Monday meeting for cool things (that impact lots of people/are visible) we ship ?
- post on dev-security ? or other groups ?
blog on User CSP
- Can we post it on https://blog.mozilla.org/security/ ?
- we totally should.
- Yeah, I'd read the heck out of it
X-Content-Type-Options: nosniff
- we want to push a spec for this, abarth is on board with this
- Tom Schuster (evilpie) is going to take a crack at the spec
- Tom is still waiting to have a secreview scheduled - we need dveditz for this
B2G trusted UI https://bugzilla.mozilla.org/show_bug.cgi?id=768943
FTFY: =^..^= <- a cat

Contents