Weekly Status Update

Dimi Lee

• Work on Serviceworker, nothing related to NSec last week
• Will start to work on Bug 1178526 - Set appropriate origin attributes for signed packages

Ethan Tseng

• Bug 1165267 - Use OriginAttributes for nsCookieService
  • Upload a WIP patch to remove |appId| and |inBrowserElement| as cookie key
  • The only cookie key is |baseDomain|
  • Investigate internal data format of cookie (DB, hashtable and cookie list, ..., etc.)
  • Make an implementation plan (thanks to Henry!) - reduce cookie DB records within the same domain while DB migration
  • Paul: I assume this doesn't help?
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1165267#c4
• Bug 1181031 - Shared Cookie Jar

Henry Chang

• Bug 1178525 - Ensure the package is verified before content is served
  • f+ by Valentin
  • Ideally should land after Bug 1178518 but only 2 weeks from milestone 1...
• Bug 1186290 - Notify TabParent to switch process when a signed packaged is loading from different origin.
  • Works for most of the cases on both desktop browser and B2G with the following issues:
    • Need to deal with system XHR. May use "nsILoadInfo.securityFlags | SEC_SANDBOXED" to check.
    • Need to refresh the browser (like hide/show the menu bar) to get the content showed. (desktop)
    • Tab title keeps showing "Connecting"

Jonathan Hao

• Bug 1178518 - Support for verifying signed packages
  • Finally verifying the output of signing tool successfully (thanks to discussion with Dimi)
  • Preparing to be reviewed
  • Created PrivilegedPackageRoot in nsIX509CertDB
  • Its private key is in my local machine, so only I can sign packages now.
• TODO: a signed package generator
• Can we reuse security/apps/marketplace-dev-public.crt?
  • Marketplace did signing in https://github.com/mozilla/zamboni/

Tim Huang

• Studied the WiFi stack of the firefox os.

Winnie Sun

• Bug 1011358 - [wifi][wi-fi] Gecko doesn't notify Gaia when wpa_supplicant scans and finds new SSIDs/nodes
  • Under reviewing.
• Bug 1187262 - A device cannot connect B device through wifi
  • Fixed the code according to the review comment.
  • Waiting for the implementation of 'allNetworkInfo'. (Bug1197667)
• Bug 1188617 - [Aries][Utility Tray] Re-enabling wi-fi from notification tray automatically launches Settings app.
  • Under discussion about the way to improve it.
• Bug 1189143 - [Browser] Video cannot be loaded when network is connected back
  • Looking for the crush point.
• Studying about the Wifi Direct.

Yoshi Huang

• Bug 1165272 - unify Get*CodebasePrincipal with createCodebasePrincipal in nsIScriptSecurityManager. landed
• Bug 1165466 - Fix up docshell and loadcontext inheriting code in nsIScriptSecurityManager to use originAttributes rather than explicitly querying appid/browser. r? sent on 8/24
• Bug 1167100 - User nsIPrincipal.originAttribute in ContentPrincipalInfo. r?
• Bug 1196652 - OriginSuffix is shown in about:serviceworker on b2g. ongoing

Aaron Wu (EPM)

• Milestone 1 target (Sept 4, S6)
  • Signing
    • Tools for developers to make and sign packages
  • Verification
    • Add necko hooks for signature verification. Check package location
    • Implement signature checking (stretch goal)sd
  • CSP
    • Move to milestone 2-> Apply default CSP to signed package and add tests for CSP.
  • Process Isolation
    • Basic process switching (no session restore)
  • Installation & Update
    • Implement cache-pinning for packages.
    • Register permissions/ system messages on install & register web activities on pinning
  • Service Workers
    • Determine implementation strategy
  • Origin & Cookie Jars
    • Implement SignedPKG origin attribute. Make progress on refactoring gecko to use origin exclusively.
• Scrum Status for S5 review and S6 planning
  • https://wiki.mozilla.org/FirefoxOS/New_security_model/FxOS_2.5_Scrum
  • [PT ongoing]: We need the original HTTP response header for each resource for verification.(ACTION: discuss further offline)