| B2G Device Storage | In Progress | ` | * Who :: What :: By when
pault: check cjones around sizes/dos risks/paths/partitions
dougt**Investigate file blob -> File handle patch**
dougt & Djf ** Further investigate permission granularity/implementation**
adamm::file bug that isSafePath checks for "." and ".." paths, "..." would get by
dougt:: fix bug xxx filed by adamm above |
| Identity KPI Backend | In Progress | ` | * code review of JS (when ready)
- code review of WebService API (when ready)
|
| Kuma 2.0 | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
adamm :: reveiw list of bleached whitelist items :: before launch
adamm :: Diagram overall architecture, build high-level architecture :: asap
- Identify existing areas of known tech debt :: asap
- adamm :: Review architecture, identify areas of architectural risk :: asap
adamm :: Identify defensive approaches defined by the project for handling expected types of bugs (injection, output encoding, csrf, etc) :: asap
- code-review areas identified as high-risk
adamm :: Identify areas of techical risk which warrant code review
adamm :: Black-box test of staging environment |
| Android Service Based Installer | In Progress | ` | |
| Audio Recording - Web API & Implementation | In Progress | ` | - Pauljt::determine the threat model for WebRTC::
- Cdiehl::fuzz this API
- Pauljt::Tainting audio/video elements with cross-origin audio data, so that this API fails in such cases. (ie web page should not be able to access the contents of cross-origin resources) |
| Autoland | In Progress | ` | * autolander and patch review must not be the same person
- individuals in the autoland group must be educated to respect sec-approval needs (security team to educate sheriffs and release management folks).
- bug commit message and bug number must match (people fat finger this, or attackers could try to confuse us as to where a patch came from)
|
| Automated/Assisted landing from Bugzilla to tip of $branch | In Progress | ` | |
| B2G AppUpdates | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
- Confirm the update UI for pure hosted apps (ie no appcacheache)
--> [jsmith] Just tested, no UI shown, update is automatically applied
- Storage permission could be granted by MITM to a hosted app not using SSL. This grants unlimited storage, so the MITM could then try to fill up the disk.
- Add UI the source of the app (install and app info section, under permission)
--> install prompt bug might be https://bugzilla.mozilla.org/show_bug.cgi?id=827562 |
| B2G Browser | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
- pauljt :: List of the required UI for URL Bar (SSL indicators etc?) :: by Aurora
- pauljt :: Security testing of Browser API :: before beta completion
|
| B2G Updates | In Progress | ` | bbondy::Check to make the update is not significantly larger than expected to prevent disk space being exhausted::https://bugzilla.mozilla.org/show_bug.cgi?id=801855 Resolved
pauljt:: Fuzz mar format::804046 Resolved |
| B2G Web Activities | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
pauljt::Revisit spoofing when doing security testing of web activities:: Post Implementation
pauljt::ensure registered URL is restricted to same origin based on principal
fabrice::Restrict handling sensitive activities (sms, others?) to trusted or certified apps. |
| Balrog | In Progress | Q2 goal for live in nightly channel | * bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
- releng :: whitelisting URLs that we point to
- releng :: notifications upon human addition (maybe change too?) of a release
- bhearsum :: db dump w/ instructions on how to use
- psiinon :: pentest admin UI
|
| Identity Project BigTent | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
[dchan] - Contact ozten and team about testing environment by EOD 08/20 |
| Profile feature of Mozilla Persona/BrowserID | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the reivew bug, that blocks the feature bug)
Yvan Boily :: code review :: before launch
identity team :: What are each of the milestones, how can these steps be broken down, specify when there is an increase in data collected. |
| Browser ID Sync Integration | In Progress | ` | |
| Campaign management / product announcements for Firefox for Android | In Progress | ` | * Snippet poll must be over SSL - let's make sure. |
| Chicago Summer of Learning Website (incl. aestimia and openbadger) | In Progress | ` | * chris :: add persona-auth to demo/ :: xx |
| Click to Play Plugins | In Progress | ` | *Keeler::ability to differentiate plugins in persisted permissions :: https://bugzilla.mozilla.org/show_bug.cgi?id=746374 ::FF19?
Keeler::differentiate regular click-to-play permissions from blocklisted click-to-play permissions::before regular click-to-play gets its own UI to enable it |
| Developer tools: Debugger | In Progress | ` | |
| Fennec Private Browsing | In Progress | ` | |
| GCLI | In Progress | ` | |
| Geolocation WebAPI | In Progress | ` | |
| Implement new IDN Unicode display algorithm | In Progress | ` | |
| In App Payment | In Progress | ` | |
| Add --marionette CLI to enable Marionette on all Firefox builds | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
Marionette Team :: reopen and address 741812 for AMO :: before enabling in optimize builds |
| Metrics Data ping | In Progress | Firefox 12 | |
| Extend Pointer Lock (Mouse Lock) for non-fullscreen elements | In Progress | ` | * Can we make sure that Esc (and cursor keys) cannot be used as a "user-triggered event handler" for the purpose of opening popups etc? Or maybe only a whitelist of keycodes / charcodes (space, enter, printable characters) https://bugzilla.mozilla.org/show_bug.cgi?id=748198
- This will break the Doom case of "Esc opens the menu and releases pointer lock; Esc again closes the menu and regains pointer lock". Games like that will have to use a different keybinding for their in-game menu with a fake cursor, or put an item on the menu for resuming the game. (Just like a full-screen game has to use a key other than Esc for its menu.)
[mwobensmith?] Test what happens when you have a device with both touch and cursor. |
| Network Monitor | In Progress | ` | |
| Notificaitons Backend | In Progress | ` | |
| Packaged Apps: Signing & Revocation | In Progress | ` | * Our app "revocation" seems to depend on the app coming from the marketplace (not simply being signed by the marketplace). Nothing at the moment seems to stop a web-site from installing a copy of a marketplace-signed privileged app. (is that a problem?)
Marketplace team: Add a link to the mini-manifest inside the packaged. (Merge into bug 814131?)
Platform team (bsmith): require that mini-manifest link inside the signed JAR and make sure that the mini-manifest inside the JAR overrides the original (download) mini-manifest URI. (Merge into bug 814136?) |
| Persona Realms SSO | In Progress | ` | * technical privacy review
privacy review
server for test environment |
| Plugin Overlay API | In Progress | ` | |
| Security/Reviews/Push API | In Progress | B2G Basecamp | ` |
| Reader Mode | In Progress | ` | |
| Release Kickof System | In Progress | ` | |
| Create API for content to keep the screensaver from turning on (or to prevent phone/tablet's screen from turning off) | In Progress | ` | |
| Settings API | In Progress | ` | |
| Simple Push API | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
pauljt
pauljt::Web App Test of Server Component:: when we can.
pauljt::Web App Test of Telefonica Component:: ASAP
Jlebar::Review notification telefonica server:: ASAP |
| Firefox/SocialAPI/ | In Progress | ` | |
| Expose a client TCP socket/UDP datagram API to web applications | In Progress | ` | |
| Web Bluetooth | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
dchan - gonk update strategy for bluetooth, camera, etc
dchan - looking into dbus testing tools that ChromeOS uses |
| WebRT | In Progress | ` | |
| WebSMS | In Progress | ` | |
| Web Telephony | In Progress | ` | |
| Windows 8 Metro Firefox | In Progress | ` | |
| EsFrontLine | In Progress | ` | * Stefan :: test the search filtering (http://klahnakoski-es.corp.tor1.mozilla.com:9292/):: ??
|
| Private Elastic Search | In Progress | ` | * add "this is private" indicator
remove legal, hr, finance, confidential (and more?)
verify if legal product dominates all the confidential bugs |
| Navigator.pay | In Progress | ` | * Who :: What :: By when (Keep in mind all these things will be bugs that block the review bug, that blocks the feature bug)
pauljt:: Review trusted modal dialog js ::asap
dchan:: Investigate marketplace JWT generation code (have to review at the spec level, app servers can generate tokens as well)
pauljt :: Prevent navigator.pay from the background:: Bug raised |
| Token Server Client & Java BrowserID crypto library for Android services projects | In Progress | ` | nalexander :: try to find diagram showing token flows through servers and clients for dchan :: Friday, 22 November
dchan :: reach out to platform / fxos teams for their implementations of this dance :: Friday, 22 November
yvan :: schedule Fx Accounts sec-review for protocol :: Friday 22, November |
| IM in ThunderBird | In Progress | Thunderbird 13 | | ... further results
