Revision as of 01:51, 8 February 2013

Agenda

https://bugzilla.mozilla.org/show_bug.cgi?id=838403 - Missing call for setting flag for mixed display blocked - needs a test.
https://bugzilla.mozilla.org/show_bug.cgi?id=836811 - needs a test, but has already landed in central
https://bugzilla.mozilla.org/show_bug.cgi?id=815345 - Session Restore with document.write - see https://people.mozilla.com/~tvyas/sessionrestore.html
https://bugzilla.mozilla.org/show_bug.cgi?id=836352 - Active vs Passive plugin sub requests - Long term bug, start engaging the right folks
https://bugzilla.mozilla.org/show_bug.cgi?id=800098 - HSTS will be blocked before it's enforced.
- Inconsistency between first time visitor and second time visitors to an hsts embedded page.
- https://blog.mozilla.org/ embeds [1] that redirects to the https version.
- What should the correct behavior be?
https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - users have a choice to disable mixed content on iframes. What should the correct behavior be?
v2 Technical Information section that shows what is blocked.
UI tweaks
- Make mixed content blocker more discoverable - https://bugzilla.mozilla.org/show_bug.cgi?id=834828
- Strike through https - https://bugzilla.mozilla.org/show_bug.cgi?id=834830
- UI Redesign Tweaks - https://bugzilla.mozilla.org/show_bug.cgi?id=827595

e.g., dev tools, mini projects, add-ons, etc

see https://wiki.mozilla.org/Security/Mentorship
HSTS crawler for preload list
Wordpress CSP plugin (update it for CSP 1.0)
Developer tools for securing a site:
- mixed content help is a good start
- https://etherpad.mozilla.org/securityreport - https://bugzilla.mozilla.org/show_bug.cgi?id=781147
Fast profile switching prototype (add-on or something) to study how people interact with it
HTTPS by default for address bar
Auto-fix SSL errors (e.g. detect system time set wrongly, foo.com -> https://www.foo.com redirects automatically
Certificate error reporting (send cert chain) to Mozilla (we want this for CA pinning) (telemetry: See bug 707275) but also a "report this to Mozilla" link
Cookie Tagging (mgoodwin is working on this... mebbe help)
CSP 1.1 experimental features
- Paths
- CSP Sandbox
Firefox OS cert manager
Web App CSP generator
Android Firefox client certs
Android Firefox cert viewer (or larry for android)
Firefox OS Cross-app auth manager
remove the auth mechanism that tries to login you in if you type @ in url (userPass in nsIURI)
RFC 1918 address space isolation (bug 354493)

@@ Line 32: / Line 32: @@
 * https://bugzilla.mozilla.org/show_bug.cgi?id=800098 - HSTS will be blocked before it's enforced.
 ** Inconsistency between first time visitor and second time visitors to an hsts embedded page.
-** https://blog.mozilla.org/ embeds <pre>http://blog.mozilla.org/files/2013/01/most-trusted-privacy-2012-252x218.jpg</pre> that redirects to the https version.
+** https://blog.mozilla.org/ embeds [http://blog.mozilla.org/files/2013/01/most-trusted-privacy-2012-252x218.jpg] that redirects to the https version.
 ** What should the correct behavior be?
 * https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - users have a choice to disable mixed content on iframes.  What should the correct behavior be?