Re: Intent to implement and ship: same-site cookies

2018-04-10 Thread Jan Odvarko 
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier 
wrote:

> We intend to ship same-site cookies in Firefox 61. This new cookie
> attribute allows sites to prevent cross-site requests from using those
> cookies which provides a mechanism for web sites to protect themselves
> against Cross-Site Request Forgery (CSRF) attacks.
>
> Specification (cookies):
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
>
> Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
>
> Platform coverage: all
>
> Gating preference: network.cookie.same-site.enabled
>
> Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715


For anyone interested in DevTools code-base:

The bug is now labeled as good-first-bug and there are detailed
instructions about how to fix it and write a test.

Jan Honza Odvarko
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: same-site cookies

2018-04-10 Thread Jan Odvarko 
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marier 
wrote:

> We intend to ship same-site cookies in Firefox 61. This new cookie
> attribute allows sites to prevent cross-site requests from using those
> cookies which provides a mechanism for web sites to protect themselves
> against Cross-Site Request Forgery (CSRF) attacks.
>
> Specification (cookies):
> https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
>
> Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346
>
> Platform coverage: all
>
> Gating preference: network.cookie.same-site.enabled
>
> Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715


Excellent, and thanks for filing bug for DevTools!

Jan Honza Odvarko
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: New Developer Tools Feature: prettifying JSON

2015-04-16 Thread Jan Odvarko 
On Wed, Apr 15, 2015 at 8:01 PM, Boris Zbarsky bzbar...@mit.edu wrote:

 How does our XML prettyprinter manage this?  I seem to recall it
 force-loads an XBL binding that provides all the scriptability.

Yes, there is XBL [1] that implements expand/collapse and XSLT [2]
transforming the document. All wired together within nsXMLPrettyPrinter.cpp
file.



 Does that have the same problem with CSP headers?

This works since no script is directly injected into the page content (it's
separated in the binding).


 If not, can you take the same approach here?

We are obviously trying to avoid C++ code in devtools, but also XUL/XBL in
favor of pure JS/HTML/CSS stack.

Not sure if there is yet another way how to manipulate content with a script
that is living outside the content (frame script?).

Honza


[1]
http://mxr.mozilla.org/mozilla-central/source/dom/xml/resources/XMLPrettyPrint.xml
[2]
http://mxr.mozilla.org/mozilla-central/source/dom/xml/resources/XMLPrettyPrint.xsl
[3]
http://mxr.mozilla.org/mozilla-central/source/dom/xml/nsXMLPrettyPrinter.cpp#46
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: New Developer Tools Feature: prettifying JSON

2015-04-16 Thread Jan Odvarko 
On Thu, Apr 16, 2015 at 10:30 AM, Frederik Braun fbr...@mozilla.com wrote:


 Running our code in someone else's origin sounds undesired indeed. Not
 only because of CSP: What if someone puts this in a frame (or a popup)
 and interacts with this JSON viewer?

Why iteration with a frame with the viewer could be an issue?


 A custom URL sounds more reasonable
 - but we have to make sure it doesn't have special powers, in case we
 mess up and the JSON viewer can be XSSed.

Yes, my gut feeling is along these lines.



 Maybe we can build a JSON-specific handler in `view-source'? The
 view-source scheme has all the security details in place!
 You can't put 'view-source' in a frame, object or embed tag.
 It's on a unique origin. It has no special privileges.

Also an option (I thinks it's pretty much the same as if there was
something like View Page JSON)



 WDYT? Maybe view-source could show colored HTML for _this_ content type
 and prettified JSON for _that_ content type. AFAIR we even had something
 like this for XML in the tree - didnt we?

I don't know.

Honza



 ___
 dev-platform mailing list
 dev-platform@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: New Developer Tools Feature: prettifying JSON

2015-04-16 Thread Jan Odvarko 
Thanks for the link, looks interesting indeed!
Honza

On Thu, Apr 16, 2015 at 3:23 AM, Karl Dubost kdub...@mozilla.com wrote:

 Jan,

 Le 16 avr. 2015 à 01:54, Jan Odvarko odva...@gmail.com a écrit :
  One of the new features we'd like to have in DevEdition 40 is related to
  JSON rendering.

 Prettifying JSON is a good idea.
 Did you check/play with jq?

 https://stedolan.github.io/jq/
 https://jqplay.org/

 They do a really good job at showing and understanding the data.
 This is mostly a text-based UI with syntax coloring but it's very
 effective as it gives me the power at the tips of my hands. Not constrained
 by a choice of UI.

 Talking about prettifying, it would be nice if we could have user themes
 (maybe textmate/sublime theme language) to be able to choose the
 rendering/prettifying rules for JSON, HTML, JS, etc.

 --
 Karl Dubost, Mozilla
 http://www.la-grange.net/karl/moz


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: New Developer Tools Feature: prettifying JSON

2015-04-16 Thread Jan Odvarko 
On Thu, Apr 16, 2015 at 4:36 PM, Boris Zbarsky bzbar...@mit.edu wrote:

 On 4/16/15 4:37 AM, Jan Odvarko wrote:

 We are obviously trying to avoid C++ code in devtools


 Sure.  We can add scriptable APIs as needed.  For example, we already have
 one for adding anonymous content, right?.

Yes, and it's precisely the way we happily support!

Honza
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

New Developer Tools Feature: prettifying JSON

2015-04-15 Thread Jan Odvarko 
One of the new features we'd like to have in DevEdition 40 is related to
JSON rendering. Dev folks deal with JSON a lot these days and we want to
make the work easier by rendering JSON as an expandable tree that allows
easy inspection and filter/search.

One option to make this is implementing a stream convertor with
contract-id: @mozilla.org/streamconv;1?from=application/jsonto=*/html

This means that any document with application/json (loaded into a tab) is
auto converted into a little HTML app that allows easy inspection. See a
screenshot here: http://snag.gy/rHivb.jpg

This approach has one security implication, if the page uses default-src
'none' (or other security restrictions?) - injecting JS into it generates
warnings: Content Security Policy: The page's settings blocked the loading
of a resource at self (default-src 'none').

Another option is introducing specific URL (like:
chrome://browser/devtools/jsonviewer.xul) that implements the entire app
and avoids JS injection in the existing content. But direct conversion of
JSON documents is handy... and perhaps we have yet another option...?

What do you think?
What approach is the best here? (and without any security concerns)

Honza
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: nsIStreamConverter e10s

2015-04-15 Thread Jan Odvarko 
Yes, the platform bug seems to be related.
I commented in the report.

Honza


 On 10 Apr 2015, at 18:11, Gabor Krizsanits gkrizsan...@mozilla.com wrote:
 
 I'm working on a bug that might be related 
 (https://bugzilla.mozilla.org/show_bug.cgi?id=982319 
 https://bugzilla.mozilla.org/show_bug.cgi?id=982319). Could you provide me 
 some more details about the issue you have? In general it's a bit tricky 
 area, are you trying to convert the stream on the parent or on the child 
 side? What is your exact set-up and what does not work? Any case, filing bug 
 is probably a good idea...
 
 Gabor
 
 On Fri, Apr 10, 2015 at 4:42 PM, Jan Odvarko odva...@gmail.com 
 mailto:odva...@gmail.com wrote:
 I created a (JS) component that implements nsIStreamConverter (JSON -
 HTML), but it doesn't seem to work in e10s.
 
 Is this suppose to work?
 Is there a bug for this?
 
 Honza
 ___
 dev-platform mailing list
 dev-platform@lists.mozilla.org mailto:dev-platform@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-platform 
 https://lists.mozilla.org/listinfo/dev-platform
 

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

RE: Telemetry additions: count histograms keyed histograms

2014-11-06 Thread Jan Odvarko 
 I updated the documentation accordingly:
 https://developer.mozilla.org/en-
 US/docs/Mozilla/Performance/Adding_a_new_Telemetry_probe
Nice!

Note that the page needs to be yet updated since 
registerAddonHistogram has different order of arguments now:
https://bugzilla.mozilla.org/show_bug.cgi?id=1069953

Honza



 -Original Message-
 From: dev-platform [mailto:dev-platform-
 bounces+odvarko=gmail@lists.mozilla.org] On Behalf Of Georg Fritzsche
 Sent: Thursday, November 06, 2014 5:05 PM
 To: dev-platform@lists.mozilla.org
 Cc: Firefox Dev
 Subject: Telemetry additions: count histograms  keyed histograms
 
 Per bug 1069873 and bug 1069874, Telemetry now has:
 * a new histogram type for counts (so there is no need anymore to use
 boolean histograms for that)
 * keyed histograms, basically providing a key/value store (mapping string
 keys to histograms)
 
 I updated the documentation accordingly:
 https://developer.mozilla.org/en-
 US/docs/Mozilla/Performance/Adding_a_new_Telemetry_probe
 
 Georg
 ___
 dev-platform mailing list
 dev-platform@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-platform


---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

RE: XUL splitmenu

2013-09-07 Thread Jan Odvarko 
I see, thanks for the update
Honza

 -Original Message-
 From: gavin.sh...@gmail.com [mailto:gavin.sh...@gmail.com] On Behalf Of
 Gavin Sharp
 Sent: Saturday, September 07, 2013 2:55 AM
 To: Jan Odvarko
 Cc: dev-platform
 Subject: Re: XUL splitmenu
 
 As I commented in bug 770316, splitmenus aren't really a supported part of the
 general platform, and I think we will remove them soon. So I would discourage
 you from using them further, if possible :)
 
 Gavin
 
 On Thu, Sep 5, 2013 at 2:42 PM, Jan Odvarko odva...@gmail.com wrote:
  Two questions about splitmenu element:
 
  #1) I wanted to displya a check-box in front of the splitmenu
  element, but setting type=checkbox and checked=true doesn't help.
  Shouldn't this just work? Is this a bug?
 
  #2) It looks like that the splitmenu element doesn't work on OSX.
  Correct?
 
  Honza
 
  ___
  dev-platform mailing list
  dev-platform@lists.mozilla.org
  https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

RE: DevTools: how to get list of mutation observers for an element

2013-09-05 Thread Jan Odvarko 
  Should I file a bug for this?
 Yes, please. CC me
Done
https://bugzilla.mozilla.org/show_bug.cgi?id=912874
Honza


 -Original Message-
 From: smaug [mailto:sm...@welho.com]
 Sent: Wednesday, September 04, 2013 9:21 PM
 To: Jan Odvarko
 Subject: Re: DevTools: how to get list of mutation observers for an
element
 
 On 09/04/2013 09:43 AM, Jan Odvarko wrote:
  It's currently possible to get registered event listeners for
 
  specific target (element, window, xhr, etc.)
 
  using nsIEventListenerService.getListenerInfoFor
 
 
 
  Is there any API that would allow to get also mutation observers?
 no
 
 
  Should I file a bug for this?
 Yes, please. CC me
 
 
 -Olli :smaug
 
 
 
 
 
  Honza
 

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

XUL splitmenu

2013-09-05 Thread Jan Odvarko 
Two questions about splitmenu element:

#1) I wanted to displya a check-box in front of the splitmenu element,
but setting type=checkbox and checked=true doesn't help.
Shouldn't this just work? Is this a bug?

#2) It looks like that the splitmenu element doesn't work
on OSX. Correct?

Honza

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

RE: swapDocShells

2013-07-24 Thread Jan Odvarko 
  Is the method removed?
 
 No.
I have reported the problem here + STR:
https://bugzilla.mozilla.org/show_bug.cgi?id=897386

Honza

 -Original Message-
 From: dev-platform-bounces+odvarko=gmail@lists.mozilla.org
 [mailto:dev-platform-bounces+odvarko=gmail@lists.mozilla.org] On
 Behalf Of Boris Zbarsky
 Sent: Tuesday, July 23, 2013 5:21 PM
 To: dev-platform@lists.mozilla.org
 Subject: Re: swapDocShells
 
 On 7/23/13 10:38 AM, Jan Odvarko wrote:
  Is the method removed?
 
 No.
 
 -Boris
 
 ___
 dev-platform mailing list
 dev-platform@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

swapDocShells

2013-07-23 Thread Jan Odvarko 
Firebug started throwing an exception (since Friday last week)

swapDocShells is not a function

 

... every time it's detached.

 

Is the method removed?

If yes, are there any alternatives?

 

Honza

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Block cookies from sites I haven't visited

2013-06-27 Thread Jan Odvarko 
Firefox 22 introduced a new cookie feature that allows to block

cookies from not-visited sites.

 

Blog post here:

https://brendaneich.com/2013/06/the-cookie-clearinghouse/

 

This change includes also different default value for 

network.cookie.cookieBehavior preference, which is now:

3 == limit foreign cookies

 

---

 

I'd like to fix Firebug UI that is available for changing cookie

permissions on a  site-by-site bases (Firebug always applies

on the current page).

 

The question is what is the correct argument to pass to

nsIPermissionManager.add() method to limit third party

cookies for specific URI. I am using

Ci.nsICookiePermission.ACCESS_LIMIT_THIRD_PARTY

 

Is that correct?

 

Honza

 

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform