[Bugzilla] Bugs logged by Desktop Release QA in the last 8 days

2018-01-02 Thread Bogdan Maris 
Here's the list of new issues found and filed by the Desktop Release QA
team last week.
Additional details on the team's priorities last week, as well as the plans
for the current week are available at: https://goo.gl/7YwnLr 
.

Bugs logged by Desktop Release QA in the last 8 days

ID  Sev Pri Plt AssigneeStatus  Resolution  Summary
1427280   normal  --  
All nob...@mozilla.org   NEW --- Firefox 
fails to open mp4 3D-4K videos by returning error messages in the console


Bogdan (:bogdan_maris)
Desktop Release QA

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Password autofilling

2018-01-02 Thread Jonathan Kingston 
There are some other alternatives that we could take here:

1. Improve the UX of autofill
  a. present the credentials to the user on visible forms when the page
loads
  - Google had a project on doing this and it never got completed. It
appears there are many issues with this solution [4].
2. Prevent autofill on third party forms
  - might not actually address the issue as advertisers are often first
party
3. Add heuristics on if the form should be autofilled
  a. Don't fill when a form isn't visible, editable etc

I also think that removing autofill aligns with the Credential Management
API, providing incentive for developers to use over having their forms
autofilled by default and that users expect their details to require an
interaction for filling.

> There's an about:config pref, as [1] points out, which does this.

My comment regarding this wasn't possible was misleading however I don't
expect the pref is discoverable to most.

[4] https://twitter.com/estark37/status/947667756400361474


On Tue, Jan 2, 2018 at 5:23 PM, Axel Hecht  wrote:

> Am 02.01.18 um 17:22 schrieb Gijs Kruitbosch:
>
> On 01/01/2018 20:08, Jonathan Kingston wrote:
>>
>>> We have the ability to turn off the whole login manager within Firefox
>>> preferences: "Remember logins and passwords for web sites" but no way to
>>> prevent autofill.
>>>
>>
>> There's an about:config pref, as [1] points out, which does this.
>>
>> I wonder if there's a way to require user interaction only when pages
>> contain non-same-origin scripts. Then again, it's not clear that that'd be
>> "worth it", in the sense that that would actually significantly reduce the
>> number of pages where user interaction would be required, nor that it
>> wouldn't make the browser's behaviour less understandable to end users (as
>> we would sometimes autofill without interaction, and sometimes wouldn't).
>>
>> In other form code we also care about whether form fields are focusable
>> (ie visible, editable etc.), which is something we could also potentially
>> use to mitigate these attacks, though it could probably be bypassed by
>> having a visible element that is positioned "offscreen" in an
>> overflow:hidden container, or something of that sort.
>>
>> ~ Gijs
>>
>
> Or could we start blocking tracking-providers with this practice in
> general?
>
> As much as this sounds like an arm-race, these providers are only valuable
> if they're on a lot of sites, so this might actually be a winnable arm-race.
>
> Axel
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Password autofilling

2018-01-02 Thread Axel Hecht 

Am 02.01.18 um 17:22 schrieb Gijs Kruitbosch:

On 01/01/2018 20:08, Jonathan Kingston wrote:

We have the ability to turn off the whole login manager within Firefox
preferences: "Remember logins and passwords for web sites" but no way to
prevent autofill.


There's an about:config pref, as [1] points out, which does this.

I wonder if there's a way to require user interaction only when pages 
contain non-same-origin scripts. Then again, it's not clear that that'd 
be "worth it", in the sense that that would actually significantly 
reduce the number of pages where user interaction would be required, nor 
that it wouldn't make the browser's behaviour less understandable to end 
users (as we would sometimes autofill without interaction, and sometimes 
wouldn't).


In other form code we also care about whether form fields are focusable 
(ie visible, editable etc.), which is something we could also 
potentially use to mitigate these attacks, though it could probably be 
bypassed by having a visible element that is positioned "offscreen" in 
an overflow:hidden container, or something of that sort.


~ Gijs


Or could we start blocking tracking-providers with this practice in general?

As much as this sounds like an arm-race, these providers are only 
valuable if they're on a lot of sites, so this might actually be a 
winnable arm-race.


Axel
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Password autofilling

2018-01-02 Thread Gijs Kruitbosch 

On 01/01/2018 20:08, Jonathan Kingston wrote:

We have the ability to turn off the whole login manager within Firefox
preferences: "Remember logins and passwords for web sites" but no way to
prevent autofill.


There's an about:config pref, as [1] points out, which does this.

I wonder if there's a way to require user interaction only when pages 
contain non-same-origin scripts. Then again, it's not clear that that'd 
be "worth it", in the sense that that would actually significantly 
reduce the number of pages where user interaction would be required, nor 
that it wouldn't make the browser's behaviour less understandable to end 
users (as we would sometimes autofill without interaction, and sometimes 
wouldn't).


In other form code we also care about whether form fields are focusable 
(ie visible, editable etc.), which is something we could also 
potentially use to mitigate these attacks, though it could probably be 
bypassed by having a visible element that is positioned "offscreen" in 
an overflow:hidden container, or something of that sort.


~ Gijs
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform