Re: Intent to implement and ship: same-site cookies
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marierwrote: > We intend to ship same-site cookies in Firefox 61. This new cookie > attribute allows sites to prevent cross-site requests from using those > cookies which provides a mechanism for web sites to protect themselves > against Cross-Site Request Forgery (CSRF) attacks. > > Specification (cookies): > https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 > > Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346 > > Platform coverage: all > > Gating preference: network.cookie.same-site.enabled > > Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715 For anyone interested in DevTools code-base: The bug is now labeled as good-first-bug and there are detailed instructions about how to fix it and write a test. Jan Honza Odvarko ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: same-site cookies
On Tue, Apr 10, 2018 at 4:25 AM, Francois Marierwrote: > We intend to ship same-site cookies in Firefox 61. This new cookie > attribute allows sites to prevent cross-site requests from using those > cookies which provides a mechanism for web sites to protect themselves > against Cross-Site Request Forgery (CSRF) attacks. > > Specification (cookies): > https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02 > > Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=795346 > > Platform coverage: all > > Gating preference: network.cookie.same-site.enabled > > Devtools support: https://bugzilla.mozilla.org/show_bug.cgi?id=1452715 Excellent, and thanks for filing bug for DevTools! Jan Honza Odvarko ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: New Developer Tools Feature: prettifying JSON
On Wed, Apr 15, 2015 at 8:01 PM, Boris Zbarsky bzbar...@mit.edu wrote: How does our XML prettyprinter manage this? I seem to recall it force-loads an XBL binding that provides all the scriptability. Yes, there is XBL [1] that implements expand/collapse and XSLT [2] transforming the document. All wired together within nsXMLPrettyPrinter.cpp file. Does that have the same problem with CSP headers? This works since no script is directly injected into the page content (it's separated in the binding). If not, can you take the same approach here? We are obviously trying to avoid C++ code in devtools, but also XUL/XBL in favor of pure JS/HTML/CSS stack. Not sure if there is yet another way how to manipulate content with a script that is living outside the content (frame script?). Honza [1] http://mxr.mozilla.org/mozilla-central/source/dom/xml/resources/XMLPrettyPrint.xml [2] http://mxr.mozilla.org/mozilla-central/source/dom/xml/resources/XMLPrettyPrint.xsl [3] http://mxr.mozilla.org/mozilla-central/source/dom/xml/nsXMLPrettyPrinter.cpp#46 ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: New Developer Tools Feature: prettifying JSON
On Thu, Apr 16, 2015 at 10:30 AM, Frederik Braun fbr...@mozilla.com wrote: Running our code in someone else's origin sounds undesired indeed. Not only because of CSP: What if someone puts this in a frame (or a popup) and interacts with this JSON viewer? Why iteration with a frame with the viewer could be an issue? A custom URL sounds more reasonable - but we have to make sure it doesn't have special powers, in case we mess up and the JSON viewer can be XSSed. Yes, my gut feeling is along these lines. Maybe we can build a JSON-specific handler in `view-source'? The view-source scheme has all the security details in place! You can't put 'view-source' in a frame, object or embed tag. It's on a unique origin. It has no special privileges. Also an option (I thinks it's pretty much the same as if there was something like View Page JSON) WDYT? Maybe view-source could show colored HTML for _this_ content type and prettified JSON for _that_ content type. AFAIR we even had something like this for XML in the tree - didnt we? I don't know. Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: New Developer Tools Feature: prettifying JSON
Thanks for the link, looks interesting indeed! Honza On Thu, Apr 16, 2015 at 3:23 AM, Karl Dubost kdub...@mozilla.com wrote: Jan, Le 16 avr. 2015 à 01:54, Jan Odvarko odva...@gmail.com a écrit : One of the new features we'd like to have in DevEdition 40 is related to JSON rendering. Prettifying JSON is a good idea. Did you check/play with jq? https://stedolan.github.io/jq/ https://jqplay.org/ They do a really good job at showing and understanding the data. This is mostly a text-based UI with syntax coloring but it's very effective as it gives me the power at the tips of my hands. Not constrained by a choice of UI. Talking about prettifying, it would be nice if we could have user themes (maybe textmate/sublime theme language) to be able to choose the rendering/prettifying rules for JSON, HTML, JS, etc. -- Karl Dubost, Mozilla http://www.la-grange.net/karl/moz ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: New Developer Tools Feature: prettifying JSON
On Thu, Apr 16, 2015 at 4:36 PM, Boris Zbarsky bzbar...@mit.edu wrote: On 4/16/15 4:37 AM, Jan Odvarko wrote: We are obviously trying to avoid C++ code in devtools Sure. We can add scriptable APIs as needed. For example, we already have one for adding anonymous content, right?. Yes, and it's precisely the way we happily support! Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
New Developer Tools Feature: prettifying JSON
One of the new features we'd like to have in DevEdition 40 is related to JSON rendering. Dev folks deal with JSON a lot these days and we want to make the work easier by rendering JSON as an expandable tree that allows easy inspection and filter/search. One option to make this is implementing a stream convertor with contract-id: @mozilla.org/streamconv;1?from=application/jsonto=*/html This means that any document with application/json (loaded into a tab) is auto converted into a little HTML app that allows easy inspection. See a screenshot here: http://snag.gy/rHivb.jpg This approach has one security implication, if the page uses default-src 'none' (or other security restrictions?) - injecting JS into it generates warnings: Content Security Policy: The page's settings blocked the loading of a resource at self (default-src 'none'). Another option is introducing specific URL (like: chrome://browser/devtools/jsonviewer.xul) that implements the entire app and avoids JS injection in the existing content. But direct conversion of JSON documents is handy... and perhaps we have yet another option...? What do you think? What approach is the best here? (and without any security concerns) Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: nsIStreamConverter e10s
Yes, the platform bug seems to be related. I commented in the report. Honza On 10 Apr 2015, at 18:11, Gabor Krizsanits gkrizsan...@mozilla.com wrote: I'm working on a bug that might be related (https://bugzilla.mozilla.org/show_bug.cgi?id=982319 https://bugzilla.mozilla.org/show_bug.cgi?id=982319). Could you provide me some more details about the issue you have? In general it's a bit tricky area, are you trying to convert the stream on the parent or on the child side? What is your exact set-up and what does not work? Any case, filing bug is probably a good idea... Gabor On Fri, Apr 10, 2015 at 4:42 PM, Jan Odvarko odva...@gmail.com mailto:odva...@gmail.com wrote: I created a (JS) component that implements nsIStreamConverter (JSON - HTML), but it doesn't seem to work in e10s. Is this suppose to work? Is there a bug for this? Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org mailto:dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
RE: Telemetry additions: count histograms keyed histograms
I updated the documentation accordingly: https://developer.mozilla.org/en- US/docs/Mozilla/Performance/Adding_a_new_Telemetry_probe Nice! Note that the page needs to be yet updated since registerAddonHistogram has different order of arguments now: https://bugzilla.mozilla.org/show_bug.cgi?id=1069953 Honza -Original Message- From: dev-platform [mailto:dev-platform- bounces+odvarko=gmail@lists.mozilla.org] On Behalf Of Georg Fritzsche Sent: Thursday, November 06, 2014 5:05 PM To: dev-platform@lists.mozilla.org Cc: Firefox Dev Subject: Telemetry additions: count histograms keyed histograms Per bug 1069873 and bug 1069874, Telemetry now has: * a new histogram type for counts (so there is no need anymore to use boolean histograms for that) * keyed histograms, basically providing a key/value store (mapping string keys to histograms) I updated the documentation accordingly: https://developer.mozilla.org/en- US/docs/Mozilla/Performance/Adding_a_new_Telemetry_probe Georg ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
RE: XUL splitmenu
I see, thanks for the update Honza -Original Message- From: gavin.sh...@gmail.com [mailto:gavin.sh...@gmail.com] On Behalf Of Gavin Sharp Sent: Saturday, September 07, 2013 2:55 AM To: Jan Odvarko Cc: dev-platform Subject: Re: XUL splitmenu As I commented in bug 770316, splitmenus aren't really a supported part of the general platform, and I think we will remove them soon. So I would discourage you from using them further, if possible :) Gavin On Thu, Sep 5, 2013 at 2:42 PM, Jan Odvarko odva...@gmail.com wrote: Two questions about splitmenu element: #1) I wanted to displya a check-box in front of the splitmenu element, but setting type=checkbox and checked=true doesn't help. Shouldn't this just work? Is this a bug? #2) It looks like that the splitmenu element doesn't work on OSX. Correct? Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
RE: DevTools: how to get list of mutation observers for an element
Should I file a bug for this? Yes, please. CC me Done https://bugzilla.mozilla.org/show_bug.cgi?id=912874 Honza -Original Message- From: smaug [mailto:sm...@welho.com] Sent: Wednesday, September 04, 2013 9:21 PM To: Jan Odvarko Subject: Re: DevTools: how to get list of mutation observers for an element On 09/04/2013 09:43 AM, Jan Odvarko wrote: It's currently possible to get registered event listeners for specific target (element, window, xhr, etc.) using nsIEventListenerService.getListenerInfoFor Is there any API that would allow to get also mutation observers? no Should I file a bug for this? Yes, please. CC me -Olli :smaug Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
XUL splitmenu
Two questions about splitmenu element: #1) I wanted to displya a check-box in front of the splitmenu element, but setting type=checkbox and checked=true doesn't help. Shouldn't this just work? Is this a bug? #2) It looks like that the splitmenu element doesn't work on OSX. Correct? Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
RE: swapDocShells
Is the method removed? No. I have reported the problem here + STR: https://bugzilla.mozilla.org/show_bug.cgi?id=897386 Honza -Original Message- From: dev-platform-bounces+odvarko=gmail@lists.mozilla.org [mailto:dev-platform-bounces+odvarko=gmail@lists.mozilla.org] On Behalf Of Boris Zbarsky Sent: Tuesday, July 23, 2013 5:21 PM To: dev-platform@lists.mozilla.org Subject: Re: swapDocShells On 7/23/13 10:38 AM, Jan Odvarko wrote: Is the method removed? No. -Boris ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
swapDocShells
Firebug started throwing an exception (since Friday last week) swapDocShells is not a function ... every time it's detached. Is the method removed? If yes, are there any alternatives? Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Block cookies from sites I haven't visited
Firefox 22 introduced a new cookie feature that allows to block cookies from not-visited sites. Blog post here: https://brendaneich.com/2013/06/the-cookie-clearinghouse/ This change includes also different default value for network.cookie.cookieBehavior preference, which is now: 3 == limit foreign cookies --- I'd like to fix Firebug UI that is available for changing cookie permissions on a site-by-site bases (Firebug always applies on the current page). The question is what is the correct argument to pass to nsIPermissionManager.add() method to limit third party cookies for specific URI. I am using Ci.nsICookiePermission.ACCESS_LIMIT_THIRD_PARTY Is that correct? Honza ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform