Security/Sandbox/2017-04-20
From MozillaWiki
« previous week | index | next week »
Contents
bobowen
- bug 1351358 - Can't submit form to http(s) URL using POST method from a file:// page
- I have this pretty much working like chrome, couple of edge cases to work out and tests to write.
haik
- bug 1334550 - Proxy moz-extension protocol requests to the parent process
- Changed code to use new SimpleChannel
- 1 Memory leak to deal with
- bug 1332190 - [Mac] Remove file system read access from content sandbox when separate file process in use
Alex_Gaynor
- bug 1294641 - Running nightly from your home directory now works!
- bug 1357758 - Replacing blacklist with whitelisting for the mac sandbox policy - mostly trying to assess how many blockers there are
- bug 1357846 - Fixing a test when run under sandbox level 3
- Starting to explore how to establish how much work it'd be to enable win32k lockdown
jld
- Looking into networking/sockets stuff
- Our friends in media have remoted getifaddrs bug 1345511 and fixed the thing I had to work around on B2G bug 969715
- Blocking bind/listen/accept could land approximately now, judging by Try
- The patch for 1345511 is… not simple; I'm glad I didn't try to do that myself.
- xpcshell tests haven't been sandboxed for a while
- And one of them (dom/base/test/unit_ipc/test_bug553888_wrap.js) is the infamous httpd.js test
- The prefs are in firefox.js, so xpcshell doesn't load them, so the “sandbox level” prefs are 0, but these are otherwise normal content processes
- I'll file a bug
- DBus
- Exits the process if you shutdown read on its socket, but only on some systems.
- Used directly in a few places (PowerManager, a11y, WiFi Scanner)
- Might all be parent-only or easily e10s-able; not sure yet
- I'll file some bugs
handyman
- bug 1347710 - GPU Sandbox - need to check webrender
- uplifting to beta
roundtable
- Linux Sandbox feature telemetry probes are expiring; should they?
- Action item: jld to ask gcp
- LastPass and extension content scripts
- https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Native_messaging
- Look into native messaging handling and the sandbox
- who launches the binary?
- security around the message handling if this process runs at user level -> jimm to chat with Paul about this (done)
- securing level settings beyond level 1 rollout
- file bug on locking base level at 1 (win/osx, linux can wait) -> jimm (Bug 1358223)
- do we need MOZ_ALLOW_WEAKER_SANDBOX? (Bug 1358227)
- file bug on removing this -> jimm
- Browser Security Comparison paper: http://files.accuvant.com/web/files/AccuvantBrowserSecCompar_FINAL.pdf
- From 2011, maybe a starting point
- Out of process WebExtensions
- bug 1190679 - Run WebExtensions out of process
- bug 1357486 - Turn on OOP extensions by default on Windows and OS-X
- And other dependencies