Standing Agenda

• Q3 Goals Recap -
  • Implement security model for basecamp
  • Achieve go / no-go for Firefox sandboxing
  • Land "final" Click to Play experience (address correctness and UX)
  • Ship CSP compliant with W3C 1.0 spec (also helps B2G)
  • Lead security/privacy dev community event or workshop
• Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Suggest additions or changes to roadmaps
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/09-05-12

Goals

• [ON TRACK] Security Model for basecamp
• [DONE] Sandboxing - we have a plan (Windows 8 metro) and buy into this plan from Asa
• [ON TRACK] C2P user experience is on track
• [AT RISK] CSP 1.0 compliance -- slightly less left to do, still hacking away
• [DROPPED] community event or workshop

Roadmap

3rd party cookies

• backend reviewed and ready to land, UI is next, it's 'pretty small'

CA pinning

• first patch will land in NSS 3.14/FF18
• patches refactored to help with the patches a contributor is working on
• and to help with other things
• now targeting FF19 for static pins

Click to Play

• "about 2-3 weeks" left
• keeler got feedback from shorlander, that needs to be addressed
• feedback loop is taking some time
• might not be able to uplift to 17
• can land on 18 which will then go to Aurora shortly

Mixed Content

• ready to land Part 1, apart from one blocker : tests failing on Android - tanvi is debugging and building fennec. (Part 1 is backend, where blocking is opt-in)
• Part 2 not started yet. (Part 2 is UI, where mixed script is blocked by default)

CSP 1.0 compliance

• main bugs are https://bugzilla.mozilla.org/show_bug.cgi?id=746978 (parser changes) and https://bugzilla.mozilla.org/show_bug.cgi?id=783049 (support both headers)
• meta bug is https://bugzilla.mozilla.org/show_bug.cgi?id=663566
• outstanding questions on inline styles :
  • do we just block the style tag and attribute, or do we block other things like "border" attribute and such?
  • What about when the data is set via JS (not through the HTML parser)?
  • Context: https://bugzilla.mozilla.org/show_bug.cgi?id=763879 particularly https://bugzilla.mozilla.org/show_bug.cgi?id=763879#c26
• from dveditz: "we don't allow onclick=""but we allow JS to create event listeners. similarly, we can strip style="" but allow modifying the direct properties from allowed scripts. the issue we're worried about is injected style, not using style"
• request clarification from the working group for web author consistency
• inline style is in html and hence should be blocked in the absencse of inline-style. style in javascript is not inline style. so if we have an external javascript file that creates a style tag, what happens if this is the policy with script-src thirdparty.script.com.

WebCrypto API

• first draft of the spec is up !!!

Test Pilot Survey Questions

https://id.etherpad.mozilla.org/passwords

Marketing Security & Privacy Features

• https://etherpad.mozilla.org/SecurityPrivacyFeatures
• divide into features more for users and more for developers ?
• Security and Privacy Brown Bag for Mozilla employees, the community, and the public. Going through some of the stuff we've finished, and what we are actively working on now. This will help with telling the world about the awesome sec/privacy features firefox has. And perhaps get people intersted in helping with them :)