Re: Land your tests for now-public security bugs

[Cameron McCormack]

On Tue, Mar 10, 2020, at 10:33 AM, Daniel Veditz wrote:
> We need to do better at the remembering-to-land part. If you've fixed a 
> security
> bug in the past please check if you have any hanging *in-testsuite?* bugs
> for bugs that are now public.

Thank you for the reminder.  (I've got tests going back six years I need to 
land!)

Can we have the bots that operate on Bugzilla needinfo bug assignees when a bug 
is opened up and has an "in-testsuite?" flag?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Land your tests for now-public security bugs

[Daniel Veditz]

tl;dr: If you've ever landed a security fix please check-in your public
testcases .

We've long worried that if we landed tests along with our security fixes
that attackers could develop and deploy an "N-day" exploit before we could
get the fixes into the hands of our users. This is not paranoia; there are
people who do this
.

We've done a great job preventing this in part by withholding tests and
marking bugs with the *in-testsuite?* flag to land them later when the bug
is public (at which time the flag is changed to *in-testsuite+*). We need
to do better at the remembering-to-land part. If you've fixed a security
bug in the past please check if you have any hanging *in-testsuite?* bugs
for bugs that are now public.

You can find this query and other useful information about how to handle
security bugs on our Security Bug Life Cycle
 page,
or click the link in the "tl;dr" above.

-Dan Veditz
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Phabricator Update - Tuesday March 10th, 10:30AM EDT

[dlawrence]

Normally we update Phabricator (phabricator.services.mozilla.com) on Monday
mornings but

this week we will be updating outside of our normal window.  We will be
doing a maintenance

release on Tuesday, March 10th, between 10:30AM and 11:30AM EDT. You should
not notice

any interruption in service but there may be a hiccup possible. Please
notify #phabricator in

Slack if any issues are found.

 

Thanks

 

David Lawrence

d...@mozilla.com

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure

[gabimolayof]

בתאריך יום חמישי, 23 במאי 2019 בשעה 11:34:14 UTC+3, מאת Andrea Marchesini:
> Link to the proposal:
> https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
> 
> Summary:
>   "1.  Treat the lack of an explicit "SameSite" attribute as
>"SameSite=Lax".  That is, the "Set-Cookie" value "key=value" will
>produce a cookie equivalent to "key=value; SameSite=Lax".
>Cookies that require cross-site delivery can explicitly opt-into
>such behavior by asserting "SameSite=None" when creating a
>cookie.
>2.  Require the "Secure" attribute to be set for any cookie which
>asserts "SameSite=None" (similar conceptually to the behavior for
>the "__Secure-" prefix).  That is, the "Set-Cookie" value
>"key=value; SameSite=None; Secure" will be accepted, while
>"key=value; SameSite=None" will be rejected."
> 
> Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1551798
> 
> Platform coverage: all
> 
> Estimated or target release: 69 - behind pref
> 
> Preferences behind which this will be implemented:
>  - network.cookie.sameSite.laxByDefault
>  - network.cookie.sameSite.noneRequiresSecure (this requires the previous
> one to be set to true)
> 
> Is this feature enabled by default in sandboxed iframes? yes.
> 
> Do other browser engines implement this?
>  - Chrome is implementing/experimenting this feature:
> https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
>  - Safari: no signal yet.
> 
> web-platform-tests: There is a pull-request
> https://github.com/web-platform-tests/wpt/pull/16957
> Implementing this feature, I added a mochitest to inspect cookies via
> CookieManager.
> 
> Is this feature restricted to secure contexts? no

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to ship: Intermediate CA Preloading

[Thyla van der Merwe]

*Summary*: As of Firefox 75, Intermediate CA Preloading will be enabled for
all Desktop users. This means that all intermediate CAs disclosed to
Mozilla will be pre-loaded into profiles, combatting the common secure
website misconfiguration of forgetting to include these certificates.
Previously, progression of this work was stalled by a dependency on rkv
improvements; this has now been resolved. Further details can be found this
comprehensive dev-platform post:
https://groups.google.com/forum/#!msg/mozilla.dev.platform/ATbLAQpWLXE/BZqxGxyyBQAJ


*Tracking Bug*: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1535662

*Standard*: N/A.

*Estimated target release*: Firefox 75

*Platform coverage*: All Desktop platforms.

*Preference*: We intend to ship this feature as enabled by default, but it
may be disabled by setting the
“security.remote_settings.intermediates.enabled" pref to ‘false’.

*DevTools bug*: N/A.

*Other browsers*: N/A.

*Testing*: Enabled in pre-release since Firefox 68

*Secure contexts*: N/A.

*Bug to enable*: https://bugzilla.mozilla.org/show_bug.cgi?id=1603834

Please do not hesitate to reach out if you have any further questions or
concerns.


Best,

Thyla



-- 
Dr. Thyla van der Merwe
Cryptography Engineering Manager
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to ship: JavaScript Intl.Locale

[André Bargull via dev-platform]

For Firefox 75, we intend to ship the Intl.Locale ECMA-402 proposal.

Summary:

Intl.Locale allows to parse and manipulate language tags in a user-friendly way.

For example:

let loc = new Intl.Locale("pl-u-hc-h12", {
  calendar: 'gregory'
});
console.log(loc.language); // "pl"
console.log(loc.hourCycle); // "h12"
console.log(loc.calendar); // "gregory"
console.log(loc.toString()); // "pl-u-ca-gregory-hc-h12"

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1613713

Standard: https://github.com/tc39/proposal-intl-locale

Platform coverage: All

Preference: None

DevTools bug: None, because no extra support is needed for devtools.

Other browsers: Shipping in Chrome 
.

Tests: Covered in test262, the ECMAScript conformance test suite. In tree 
stored in
js/src/tests/test262, upstream repository is .

Secure contexts: JavaScript language features should be enabled everywhere.

Is this feature enabled by default in sandboxed iframes: Yes, because it 
doesn't affect sandboxing.

How stable is the spec: The most recent specification changes only covered 
edge-cases concerning
language tag canonicalisation, the overall proposal has been stable since 
months.


- André

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to ship: JavaScript public static fields

[André Bargull via dev-platform]

For Firefox 75, we intend to ship JavaScript public static fields.

Summary: Public static fields in JavaScript classes.

For example:
class C {
  static a= 0;
}

Public instance fields have been shipping since Firefox 69. The intent to ship 
can be found at
.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1535804

Standard: https://github.com/tc39/proposal-static-class-features/

Platform coverage: All

Preference: None

DevTools bug: None, public static fields are already displayed just fine.

Other browsers: Shipping in Chrome 
. In
progress in Safari .

Tests: Covered in test262, the ECMAScript conformance test suite. In tree 
stored in
js/src/tests/test262, upstream repository is .

Secure contexts: JavaScript language features should be enabled everywhere.

Is this feature enabled by default in sandboxed iframes: Yes, because it 
doesn't affect sandboxing.

How stable is the spec: The public static fields part of the spec hasn't been 
modified in recent
months, so we don't expect any major changes to it. The private static fields 
part did receive some
changes, but that feature isn't yet implemented in Firefox.


- André

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Lando's "Appropriate token is expired" error

[Zeid Zabaneh]

Greetings everyone,

I have determined the cause of this bug. It is due to a change in the way
*flask-pyoidc* handles session refresh. A new key, *last_session_refresh*,
was added to the session cookie and is now used to determine when an auth
token needs to be refreshed. Users who have logged in before this latest
deployment are missing this value from their session cookie. *flask-pyoidc*
handles these cases incorrectly, marking these users who are missing this
value as not needing a session refresh at all and thus the API will reject
those requests with an "expired token" error without any automatic remedy.

You should not encounter this issue again once you have followed the
instructions of signing out and back in again! There is no need to contact
me regarding this issue unless you are experiencing it despite taking the
steps outlined in the original thread.

Zeid

On Fri, Mar 6, 2020 at 4:09 PM Zeid Zabaneh  wrote:

> Greetings everyone,
>
> A new version of Lando was deployed yesterday around 5:15 PM UTC. This
> release included a major version update to the authentication packages, as
> well as some API changes in order to support those updates. Those updates
> seem to have caused the issue below, and I am looking into whether this
> issue is a temporary bug or a more persistent one.
>
> There have been a few reports of users getting this:
>
>> Lando API returned an unexpected error
>>
>> Appropriate token is expired
>>
>
> This bug should affect you if you are trying to navigate to a *revision
> stack page that contains multiple stacks*, or if you are trying to *land
> a stack*.
>
> If you encounter this error, please log out of Lando, navigate back to
> https://lando.services.mozilla.com/, and log back in again. This should
> resolve the issue.
>
> If you encounter this issue again, some time after you have taken the
> steps above and have been able to successfully use Lando, please notify me
> by replying to this thread.
>
> Sorry for the disruption!
>
> Happy weekend!
>
> -- Zeid
>
> PS & PPS
>
>- If you have encountered this error in the distant past (i.e. prior
>to yesterday) or outside of the criteria above, please send me a note.
>- If you've used Lando since noon UTC yesterday, and have not
>experienced any issues trying to view multiple stacks or land stacks, I'd
>appreciate a quick note.
>
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Lando's "Appropriate token is expired" error

[Zeid Zabaneh]

Greetings everyone,

A new version of Lando was deployed yesterday around 5:15 PM UTC. This
release included a major version update to the authentication packages, as
well as some API changes in order to support those updates. Those updates
seem to have caused the issue below, and I am looking into whether this
issue is a temporary bug or a more persistent one.

There have been a few reports of users getting this:

> Lando API returned an unexpected error
>
> Appropriate token is expired
>

This bug should affect you if you are trying to navigate to a *revision
stack page that contains multiple stacks*, or if you are trying to *land a
stack*.

If you encounter this error, please log out of Lando, navigate back to
https://lando.services.mozilla.com/, and log back in again. This should
resolve the issue.

If you encounter this issue again, some time after you have taken the steps
above and have been able to successfully use Lando, please notify me by
replying to this thread.

Sorry for the disruption!

Happy weekend!

-- Zeid

PS & PPS

   - If you have encountered this error in the distant past (i.e. prior to
   yesterday) or outside of the criteria above, please send me a note.
   - If you've used Lando since noon UTC yesterday, and have not
   experienced any issues trying to view multiple stacks or land stacks, I'd
   appreciate a quick note.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Soft code freeze for Firefox 75 starts March 5

[Julien Cristau]

Hi,

The last merge from autoland to central for 75 has happened, you can now
consider the soft code freeze lifted, new changes will land for 76.

Cheers,
Julien

On Mon, Mar 2, 2020 at 10:48 AM Julien Cristau  wrote:

> Hi all,
>
> With Firefox 74 RC shipping today, we are nearing the end of the Nightly
> 75 cycle.
>
> In order to avoid invalidating the testing we get out of late Nightly and
> to ensure that we can roll out Beta 75 to a wider audience with confidence,
> we'd like to ask that any risky changes be avoided from Thursday March 5th
> until after the version bump to 76 on March 9th.
>
> Some reminders for the soft code freeze period:
>
> Do:
> - Be ready to back out patches that cause crash spikes, new crashes,
> severe regressions
> - Monitor new regressions and escalate merge blockers
> - Support release management by prioritizing fixing of merge blockers
>
> Do Not:
> - Land a risky patch or a large patch
> - Land new features (that affect the current Nightly version) — be mindful
> that code behind NIGHTLY_BUILD or RELEASE_OR_BETA ifdefs can lead to
> unexpected CI results
> - Flip prefs that enable new Features that were untested in the Nightly
> cycle
> - Plan to kick off new experiments that might impact a feature's merge
> readiness
>
> Please let us know if you have any questions/concerns.
>
> Thanks,
> Julien & the Release Management team
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

[desktop] Bugs logged by Desktop Release QA in the last 7 days

[mihai.boldan]

Hello,

Here's the list of new issues found and filed by the Desktop Release QA 
team in the last 7 days.
Additional details on the team's priorities last week, as well as the 
plans for the current week are available at: https://tinyurl.com/v45ctlo.

Bugs logged by Desktop Release QA in the last 7 days:
*
*Firefox: about:logins
* NEW - https://bugzil.la/1620531 - about:logins - have [Sort by] button 
share the same width as the dropdown menu


Firefox: Address Bar
* NEW - https://bugzil.la/1620567 - [68.6.0esr] Address bar is closed 
when using scroll mouse button


Firefox: Downloads Panel
* NEW - https://bugzil.la/1619591 - Download manager animation is 
displayed improperly on Windows and Ubuntu
* NEW - https://bugzil.la/1619577 - No warning displayed when 
downloading malicious files using drag and drop


Firefox: PDF Viewer
* NEW - https://bugzil.la/1619595 - PDF viewer - zoom carets flicker 
when opening the zoom options menu


Firefox: Protections UI
* NEW - https://bugzil.la/1619318 - The "X" button inside the cards is 
not focused while navigation with Tab key


Firefox: Theme
* NEW - https://bugzil.la/1620178 - About pages not updating colors on 
theme change


Firefox: Toolbars and Customization
* RESOLVED FIXED - https://bugzil.la/1619228 - The user is able to add a 
separator to the Address Bar


Core: DOM: Content Processes
* NEW - https://bugzil.la/1620157 - Crash in [@ shutdownhang | 
__pthread_cond_wait |  |  | 
mozilla::layers::CompositorThreadHolder::Shutdown]


Core: Layout: Scrolling and Overflow
* NEW - https://bugzil.la/1619532 - Office forms - sluggish scrolling in 
the levels dropdown


Core: Privacy: Anti-Tracking
* NEW - https://bugzil.la/1620530 - Missing buttons on blogspot with 
`network.cookie.cookieBehavior` set to 4


Core: Widget: Gtk
* NEW - https://bugzil.la/1619571 - [Ubuntu] Missing highlight on Clear 
Now button inside the Clear Recent History panel


Toolkit: Find Toolbar
* NEW - https://bugzil.la/1619881 - Find toolbar doesn’t work properly

Toolkit: Form Autofill
* NEW - https://bugzil.la/1619320 - [Form Autofill] Trying to save 
Credit Card details without having a Saved Address beforehand might lead 
to user confusion


Toolkit: Safe Browsing
* ASSIGNED - https://bugzil.la/1619583 - Malicious .exe content is saved 
as .html and download warning is not displayed


Toolkit: Themes
* NEW - https://bugzil.la/1620281 - Overlapping content on 
about:networking page with reduced width


Toolkit: Video/Audio Controls
* NEW - https://bugzil.la/1619252 - [Amazon Prime] Video freezes if 
seeking back or forward when in PIP mode
* NEW - https://bugzil.la/1619263 - [Twitch] The “Click to unmute” 
message is still displayed in the original window if the audio is 
unmuted from PIP window


DevTools: Console
* NEW - https://bugzil.la/1619924 - Instant Evaluation (aka eager 
evaluation) not showing correct values after using Space key on 
different function while autocomplete is opened
* NEW - https://bugzil.la/1619933 - “Switch back to inline mode” button 
can overlaps “Clear the Web Console output” button when devtools window 
is very narrow
* NEW - https://bugzil.la/1620155 - Console - Multi-line icon is not 
centered in the button
* NEW - https://bugzil.la/1620159 - Instant Evaluation - poor contrast 
when selecting evaluation preview with evaluation
* NEW - https://bugzil.la/1620240 - Console - Expression suggestion 
disappear after pressing Enter until moving the mouse
* NEW - https://bugzil.la/1620545 - Console - move the Multi-line mode 
button in the bar above
* NEW - https://bugzil.la/1620569 - Console - Selected input not cleared 
if selecting the preview or another expression
* NEW - https://bugzil.la/1620604 - Console settings - tooltip message 
spacing issue for long messages


DevTools: CSS and Themes
* NEW - https://bugzil.la/1619216 - DevTools - active effect lingers on 
toggle buttons


DevTools: Inspector
* NEW - https://bugzil.la/1620168 - Rules inspector overlaps the 3pane 
tabs selector button if resized


DevTools: Shared Components
* NEW - https://bugzil.la/1619876 - DevTools - Autocomplete menus closed 
on mouse_release instead of mouse_click


Web Compatibility: Desktop
* NEW - https://bugzil.la/1619545 - Vimeo - Default Search message is 
not centered in it's box


This is available as a Bugzilla bug list as well: 
https://tinyurl.com/r3ooc4w.


Regards,
Mihai Boldan


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform