On Mon, Apr 9, 2018 at 11:56 PM, Anne van Kesteren wrote:
> We keep
> trying to find ways to limit cookies transmitted over HTTP (and
> limiting HTTP in general). Offering better cookies over HTTPS seems
> like a good incentive for sites to migrate.
To me "better
On Sat, Jan 27, 2018 at 6:35 PM, greyhorseman wrote:
> so we're talking 2 full releases and maybe 6-7 months? Am I at at least
> close to correct.
If your question was truly "allow ME to use my ubikeys?" (emphasis mine)
then you can do that since Firefox 57, by changing
On Fri, Jan 26, 2018 at 6:06 PM, greyhorseman wrote:
> question is when, if ever, Firefox is going to support this standard fully
> and allow me to use my ubikeys?
On Fri, Jan 12, 2018 at 2:12 PM, Gijs Kruitbosch
> the most likely group of people to have enabled this (given 0 public
> reports on breakage so far, as far as I'm aware) are people on ESR or
> otherwise in enterprise environments
Or those trying to run
On Wed, Jan 10, 2018 at 5:35 PM, Tantek Çelik
> Also good methodology worth repeating:
>"thinking ... through all the way up to and including the user
> experience, makes for a much more viable approach"
Including, of course, "how will 4chan trolls
On Wed, Jan 10, 2018 at 12:32 PM, L. David Baron wrote:
> Is stopping canvas fingerprinting actually a substantial reduction
> in available entropy, or is it just removing a convenient source
> that happens to combine a bunch of sources of entropy that are also
On Wed, Jan 3, 2018 at 7:48 AM, Jonathan Kingston wrote:
> For GPS we only ever talk about "location", I still don't think that is a
> far stretch from head/position tracking.
Users aren't going to understand why their tilt-the-tablet labyrinth game
needs to know they're in
On Wed, Dec 6, 2017 at 9:13 AM, Dragana Damjanovic
> Bug 1423522 should fix this.
That doesn't fix it, that reenables the phishing risk. There's no reason
the phisher's server can't pretend to be a proxy if that's what it takes to
get a spoofy auth prompt to
On Tue, Dec 5, 2017 at 1:29 PM, Xidorn Quan wrote:
> Would this affect authentication from proxy? For example, if the
> cross-origin image is on a domain which PAC decides to use proxy for,
> and the proxy requires authentication, would the dialog prompt for it be
On Fri, Nov 17, 2017 at 9:25 AM, James Graham <ja...@hoppipolla.co.uk>
> On 17/11/17 16:06, Daniel Veditz wrote:
>> We fail many of the existing CSP web platform tests, despite having
>> implemented most of the features, because they were written to use the
On Fri, Nov 17, 2017 at 2:01 AM, James Graham
> Do we have cross-browser (i.e. web-platform) tests covering this feature?
We fail many of the existing CSP web platform tests, despite having
implemented most of the features, because they were written to use the
On Thu, Oct 19, 2017 at 9:30 AM, smaug wrote:
> (Hoping the r=documentation flag won't be misused ;))
I hope there will be some kind of hook making sure files touched in that
manner are all actually documentation files and not other parts of the repo.
On Wed, Oct 18, 2017 at 4:51 AM, Mark Banner wrote:
> I did an experiment, and the only way I got an error out was to have
Why isn't it a code-style/review requirement that our own internal JS
include "use strict"? As a quick check I
On Fri, Oct 6, 2017 at 12:15 PM, Randell Jesup
> There's "publish an extension that
> lets you fiddle the width" (doable today).
WebExtensions can't manipulate prefs other than the ones explicitly
exposed via a WebExtension API. Only "system add-ons" have
On Fri, Oct 6, 2017 at 12:57 AM, Lars Hansen wrote:
> even if I don't exactly remember the
> ID I'm looking for I can narrow it down to one or two tabs and then hover
> if I need to.
> Many other sites also have tabs that can be distinguished
On Mon, Oct 2, 2017 at 8:17 AM, Boris Zbarsky wrote:
> The fact is, direct DOM manipulation with no parser involved is really
> annoying to use.
Fair enough. Could we propose improvements to the APIs that would make
them more usable? For example an object argument to
On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky wrote:
> On 9/29/17 3:32 PM, Kris Maglione wrote:
>> For instance, the following should all capture the caller principal for
>> the `src` URL at call time:
> On Sep 22, 2017, at 10:27 PM, Daniel Veditz <dved...@mozilla.com> wrote:
> Christoph said
>> For backwards compatibility child-src will still be enforced for:
>> * workers (if worker-src is not explicitly specified)
On Fri, Sep 22, 2017 at 7:24 AM, Anne van Kesteren wrote:
> > We plan to ship the CSP directive worker-src within Firefox 58.
> Will we also start enforcing script-src for workers? It seems good
> that if you restrict script it actually stops all scripts.
Yes. That's what
Just to clear up the headline: we intend to unship "top level navigations
to data:" (currently allowed) by blocking them. The body of the message was
clear, just fixing the subject for people (and twitter bots) that don't get
On Fri, Sep 8, 2017 at 2:42 PM, Frank-Rainer Grahl wrote:
> > who can see confidential or secure bugs
> This is a bit vague. If I am cced to a secure bug does this apply if I
> only have editbugs otherwise?
There's a missing ".. by default" there. Only applies if your account
On Tue, Jul 25, 2017 at 1:04 AM, Enrico Weigelt, metux IT consult <
> On 25.07.2017 02:04, Kris Maglione wrote:
> The only remaining in-tree references to the XP_OS2 macros are in NSPR
>> and NSS, which are technically separate projects, and have their own
On Thu, Sep 7, 2017 at 11:28 AM, Enrico Weigelt, metux IT consult <
> Optimally, the browser should tell nothing about the client - web
> content should written in a way that it works independent from the
> actual client. At least that's how the web originally was
On Wed, Sep 6, 2017 at 4:53 PM, Emma Humphries wrote:
> This begs the question, why was that whiteboard tag being used that way?
Surely there are other reasons to disable tests, and people might want to
track those too. If you want to restrict your new keyword to just
On Tue, Sep 5, 2017 at 10:13 AM, Shubhie Panicker via dev-platform <
> Boris expressed privacy concern with the API and suggested starting a
> thread here to get some concrete feedback.
It's great that you agreed to send this (and other client hints?)
On Wed, Aug 16, 2017 at 3:51 PM, L. David Baron wrote:
> I still think opposing this charter because the group should still
> be in the incubation phase would be inconsistent with our shipping
> and promotion of WebVR.
I agree that would be exceptionally odd and require a
On Wed, Aug 16, 2017 at 7:20 AM, Enrico Weigelt, metux IT consult <
> Regarding CID vs CONTRACTID - still haven't understood why CIDs are
> random numbers, instead of human-readable names
Someone in 1999 or 2000 thought it was a good idea and set the pattern.
Don't do (c) -- its pointless. You won't be helping us test nightly changes
and will miss any important fixes (especially security ones). Go ahead and
switch to beta if you have to. Your extensions will work, you'll be helping
us ship a good 56, and you'll get security fixes. Hate to lose nightly
On Fri, Aug 11, 2017 at 2:19 PM, Frank-Rainer Grahl wrote:
> Great that you are so zealous to remove deprecated apis from the tree. I
> just wish I would see the same amount of work put into fixing web
> extensions shortcomings.
If you're not seeing that we've put multiples of
On Wed, Aug 9, 2017 at 11:32 AM, Mark Côté wrote:
> I actually like Gijs's proposal, to mirror *from* Phabricator *to* BMO.
> That way, if you're looking at the bug and want to pull someone in, you CC
> them; if you're looking at the fix and want to involve someone, you add
On Wed, Aug 9, 2017 at 9:57 AM, Valentin Gosu
> This is a definite improvement in terms of web-compat. document.origin,
> location.href, etc will from now on return punycode.
What do web pages do if they want to reflect a pretty URL into their page?
On Tue, Aug 8, 2017 at 5:30 PM, Mark Côté wrote:
> I am not sure how often CCed users are involved with confidential bugs'
> ] Anecdotally I have been told that a lot of the time users are CCed
> just to be informed of the problem, e.g. a manager might
On Wed, Aug 9, 2017 at 12:20 AM, Axel Hecht wrote:
> I think we should strive to have as few people as possible with general
> access to security bugs.
We do. We've reduced the number of people with access, and split the
"client" security group into ~10 sub groups so that
On Tue, Aug 8, 2017 at 11:38 PM, Nicolas B. Pierron <
> However, users outside of the security group(s) can see confidential bugs
>> if they are involved with them in some way. Frequently the CC field is
>> used as a way to include outsiders in a bug.
On Tue, Aug 8, 2017 at 6:12 AM, Christoph Kerschbaumer
> compliant with the behavior of other browsers which all have been shipping
> that behavior for a long time.
No other browser has _ever_ treated data: the way we do. The spec at one
time said they should
On Wed, Jul 12, 2017 at 8:54 AM, Byron Jones wrote:
> Consider that we are talking about "turning off" mozreview now. Will all
>> the bugzilla links to those reviews go dead? Or do we have to maintain a
>> second service in read-only mode forever?
> the patches will be
On Wed, Apr 5, 2017 at 7:14 AM, Aryeh Gregor wrote:
> > really help. :-( But to me it seems like the kind of thing that we'd
> > want to be able to quickly turn off on the release channel through
> > shipping a hotfix add-on that sets a pref if something goes wrong...
On Mon, Mar 27, 2017 at 1:22 AM, Frederik Braun wrote:
> UI hooks, for the SafeBrowsing
> malicious file checks, where we really,
> really discourage you from using
> the downloaded file but you can still click around that with lots of
Most people working on sub-resource integrity has wanted to extend SRI to
downloads, it was even in the initial version of the spec but foundered in
the weeds of edge cases iirc. I don't see an open issue for it though:
looks like it got lost in the transition from our old repo to the new one.
On Fri, Mar 17, 2017 at 3:26 PM, Ehsan Akhgari
> We have library imports that are forks, for example
> dom/media/webaudio/blink, as the README file explains. That should
> probably be removed from that list.
Forks are tricky. Just because we can't
On Mon, Dec 19, 2016 at 10:00 PM, Kan-Ru Chen wrote:
> I think the most important is to identify whether the crash bugs are
> regressions so they can be tracked accordingly.
I would guess that crash bugs filed by project Uptime are going to be (or
at least look like)
We have implemented CSP2 and are in support of it's adoption as a standard.
On Mon, Nov 7, 2016 at 10:07 PM, L. David Baron wrote:
> A W3C Proposed Recommendation is available for the membership of W3C
> (including Mozilla) to vote on, before it proceeds to the
On Tue, Sep 13, 2016 at 12:25 PM, Boris Zbarsky wrote:
> Probably; we know they get created; what we don't know is how they're used.
Since Gecko is the only engine that behaves this way we can be reasonably
sure we won't find public "must use Firefox" web sites depending on
The "Cookie prefix" adds restrictions to how cookies with two specific
prefixes may be used. This addresses some of the Weak Confidentiality and
Weak Integrity concerns noted by RFC 6265 (
Cookies whose names start with "__Secure-" or "__Host-"
On Sat, Jun 18, 2016 at 6:37 AM, Eric Rescorla wrote:
> instead of having it sourced from the
> origin, they instead stand
> up ".publisher.example.com"
> it at the advertiser's
> IP addresses (via an A record to the
On 4/20/16 11:53 AM, Armen Zambrano G. wrote:
> Would it make more sense to have a relbranch instead of using ESR?
Oh lordy, no! It's hard enough diverting engineering work to supporting
a single ESR 9 months after the fork. Why would we do two of them? How
would a relbranch differ from ESR?
On Thu, Mar 31, 2016 at 12:28 PM, Milan Sreckovic
> I’m going to start and keep arguing that we do not want to have an
> explicit name for that largest bucket of “wishlist” bugs, and should
> instead have it marked by the absence of a tag.
What distinguishes a
On Mon, Dec 7, 2015 at 4:36 AM, Kurt Roeckx wrote:
> On 2015-12-04 19:43, jmath...@mozilla.com wrote:
>> Not an issue since initial rollout to beta and release will be to users
>> who do not have addons installed.
> Is it even possible to have no addons installed? Firefox
On Thu, Jun 11, 2015 at 1:18 PM, Mike Hoye mh...@mozilla.com wrote:
The word vote implies that the act of voting has a direct effect on the
outcome, which is clearly not the case here and really shouldn't be. But
that's probably the root of a lot of community frustration.
Forums like Reddit
The Java Deployment Kit can be used to force the use of a down-rev
vulnerable version of Java if it's installed and even prompt for its
installation (which a large number of users will fall for, even if a small
percent). It's an enterprise feature and an enterprise-managed deployment
The patch in the bug removes it from the shared manifest parser,
Thunderbird and SeaMonkey are out of luck unless they fork this.
dev-platform mailing list
On Wed, Apr 15, 2015 at 6:13 PM, Karl Dubost kdub...@mozilla.com wrote:
Socially, eavesdropping is part of our daily life. We go to a café, we are
having a discussion and people around you may listen what you are saying.
You read a book in the train, a newspaper and people might see what you
On Tue, Apr 14, 2015 at 3:29 AM, Henri Sivonen hsivo...@hsivonen.fi wrote:
I think we should make
the UI designation of plain http undesirable once x% the sites that
users encounter on a daily basis are https. Since users don't interact
with the whole Web equally, this means
On Thu, Apr 16, 2015 at 5:16 AM, david.a.p.ll...@gmail.com wrote:
- You don't want to hear about non-centralized security models. DANE
provides me with control over certificate pinning for people visiting my
[...] If you don't like DANE, explain why, and propose something else
On Wed, Feb 11, 2015 at 2:02 AM, Mike West mk...@google.com wrote:
Not many people are interested
A new version of the charter has been uploaded that hopefully addresses
On Thu, Jan 29, 2015 at 10:32 PM, L. David Baron dba...@dbaron.org wrote:
(1) The Confinement with Origin Web Labels deliverable is described
in a way that makes it unclear what the deliverable would
On Thu, Jan 29, 2015 at 10:32 PM, L. David Baron dba...@dbaron.org wrote:
There are a number of problematic aspects to this charter to which
(1) The Confinement with Origin Web Labels deliverable is described
in a way that makes it unclear what the deliverable would do. It
On 1/7/15 6:51 PM, John Foliot wrote:
(Q: what part of openness = rejecting an attribute that many still
want to see retained? That seems very closed to me...)
Don't confuse open with a democratic and/or consensus process. Open
means that our decision making process is as transparent as
On 10/13/2014 9:25 PM, Chris Peterson wrote:
Going forward, it would be interesting to see a dashboard track Firefox
installer size every day (or show every changeset's delta on Treeherder).
We used to have http://arewesmallyet.com -- I found references to it as
late as a year ago but it seems
On 10/13/2014 4:54 PM, Chris More wrote:
For example, the win32 installer for Firefox 32 is 34MB.
Remember the days when Asa would jump all over people for breaking the
5Mb barrier? https://wiki.mozilla.org/Download_Size
On 10/13/2014 9:15 AM, Jonas Sicking wrote:
This will only be exposed to privileged and certified apps, right?
Other content that does createElement(webview) will simply get a
What does an unprivileged app get if it tries to use iframe
mozbrowser? Probably not an
On 9/8/2014 2:16 AM, Mounir Lamouri wrote:
On Sun, 7 Sep 2014, at 04:56, Martin Thomson wrote:
It's more the case that a persistent positive grant from permission
manager would be ignored for non-secure origins and non-secure origins
would not show any option to persist.
I don't know the
On 8/24/2014 6:21 PM, Eric Rescorla wrote:
FWIW, to the best of my knowledge WebRTC calls do not require a click.
But you have to click on the door-hanger to share camera/mic (or be on a
site you have already trusted not to abuse the permissions).
Many of you may have seen the earlier add-on file registration and
signing discussions. I have posted a revised proposal that requires all
add-ons to be signed (AMO-hosted add-ons will be signed automatically)
to the mozilla.addons.user-experience group/list.
If you're interested in this
On 6/5/2014 8:50 AM, Boris Zbarsky wrote:
On 6/5/14, 11:39 AM, Matthew Gertner wrote:
The problem is that on sites the enforce their own CSP, the resources
may not be loaded. For example, github.com has script-src set to
'self' so it won't load stylesheets via our protocol. Is there any way
On 1/9/2014 9:47 AM, Gavin Sharp wrote:
In theory (mine at least), the field is free to be used for planning
which release you want the bug fixed in, before the bug is fixed.
After the bug is fixed, it should be used as you describe.
Some groups do use the field this way, for example the NSS
On 1/30/2013 8:03 PM, Ehsan Akhgari wrote:
It turns out that disabling PGO but keeping LTCG enabled reduces the
memory usage by ~200MB, which means that it's not an effective
measure. Disabling both LTCG and PGO brings down the linker's
virtual memory usage to around 1GB, which means that we
Mail list logo