Security/Sandbox/2017-04-20

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

bobowen

  • bug 1351358 - Can't submit form to http(s) URL using POST method from a file:// page
    • I have this pretty much working like chrome, couple of edge cases to work out and tests to write.

haik

  • bug 1334550 - Proxy moz-extension protocol requests to the parent process
    • Changed code to use new SimpleChannel
    • 1 Memory leak to deal with
  • bug 1332190 - [Mac] Remove file system read access from content sandbox when separate file process in use

Alex_Gaynor

  • bug 1294641 - Running nightly from your home directory now works!
  • bug 1357758 - Replacing blacklist with whitelisting for the mac sandbox policy - mostly trying to assess how many blockers there are
  • bug 1357846 - Fixing a test when run under sandbox level 3
  • Starting to explore how to establish how much work it'd be to enable win32k lockdown

jld

  • Looking into networking/sockets stuff
  • Our friends in media have remoted getifaddrs bug 1345511 and fixed the thing I had to work around on B2G bug 969715
    • Blocking bind/listen/accept could land approximately now, judging by Try
    • The patch for 1345511 is… not simple; I'm glad I didn't try to do that myself.
  • xpcshell tests haven't been sandboxed for a while
    • And one of them (dom/base/test/unit_ipc/test_bug553888_wrap.js) is the infamous httpd.js test
    • The prefs are in firefox.js, so xpcshell doesn't load them, so the “sandbox level” prefs are 0, but these are otherwise normal content processes
    • I'll file a bug
  • DBus
    • Exits the process if you shutdown read on its socket, but only on some systems.
    • Used directly in a few places (PowerManager, a11y, WiFi Scanner)
      • Might all be parent-only or easily e10s-able; not sure yet
    • I'll file some bugs

handyman

  • bug 1347710 - GPU Sandbox - need to check webrender
    • uplifting to beta

roundtable

  • Linux Sandbox feature telemetry probes are expiring; should they?
    • Action item: jld to ask gcp
  • LastPass and extension content scripts
  • securing level settings beyond level 1 rollout
    • file bug on locking base level at 1 (win/osx, linux can wait) -> jimm (Bug 1358223)
  • do we need MOZ_ALLOW_WEAKER_SANDBOX? (Bug 1358227)
    • file bug on removing this -> jimm
  • Browser Security Comparison paper: http://files.accuvant.com/web/files/AccuvantBrowserSecCompar_FINAL.pdf
    • From 2011, maybe a starting point
  • Out of process WebExtensions
    • bug 1190679 - Run WebExtensions out of process
    • bug 1357486 - Turn on OOP extensions by default on Windows and OS-X
    • And other dependencies