SecurityEngineering/MeetingNotes/10-11-12

From MozillaWiki
Jump to: navigation, search

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/10-04-12

Goals

Q4 Potential Goals Discussion

  • csp 1.0 land
  • help b2g ship
    • Fix follow-up B2G security/privacy model bugs that are left?
  • security event (l33t brown bag)

Other Items

Mozcamp

Anyone going to Mozcamp Singapore? Larissa is applying for an Asia Security/Privacy Workshop

build help?

Can't build - https://bugzilla.mozilla.org/show_bug.cgi?id=798004 and https://bugzilla.mozilla.org/show_bug.cgi?id=797533

Mixed Content

  • Landing goals?
  • Telemetry - what things to count. Potential FF 18 uplift.
  • Shield - moving the mixed content icon -- lets do it on the left
  • Content Types - which types cause mixed warnings
  const unsigned long TYPE_OTHER       = 1; - Mixed Active
  const unsigned long TYPE_DOCUMENT    = 6; - N/A
  const unsigned long TYPE_PING        = 10; - Mixed Passive or N/A
  const unsigned long TYPE_REFRESH     = 8; - N/A
  const unsigned long TYPE_WEBSOCKET = 16; - Not possible ; Mixed Active
  const unsigned long TYPE_SCRIPT      = 2; -- Mixed Active
  const unsigned long TYPE_STYLESHEET  = 4; - Mixed Active
  const unsigned long TYPE_XBL         = 9; - Mixed Active
  const unsigned long TYPE_DTD = 13; - Mixed Active
  const unsigned long TYPE_OBJECT      = 5; - Mixed Active
  const unsigned long TYPE_IMAGE       = 3; - Mixed Passive
  const unsigned long TYPE_SUBDOCUMENT = 7; - Mixed Active (different from chrome, same as IE)
  const unsigned long TYPE_XMLHTTPREQUEST = 11; - Mixed active (we hope. death to JSON-P) (processing xhr results with eval). (different from chrome, same as IE)
  const unsigned long TYPE_OBJECT_SUBREQUEST = 12; - Mixed Active -- can be the next item in a playlist (e.g. YouTube)
  const unsigned long TYPE_FONT = 14; - Mixed Active (different from chrome and IE) - https://bugzilla.mozilla.org/show_bug.cgi?id=62178#c165 
  const unsigned long TYPE_MEDIA = 15;  - Mixed Passive 
  • handling redirect code for mixed content - talk to Sid about how csp handles this.

ddahl

Web Crypto API update

  • feedback - on the API, please, not the applications or rest of the DOM
  • implementations beginning because of stalemates in WG
  • New experiments