Re: Intent to Implement: canvas-imagedata permission

On 10/01/18 18:40, Tom Ritter wrote: > This proposal is that. Add a permission 'canvas-imagedata' that will > return 'granted' when Resist Fingerprinting mode is disabled, and > 'prompt' when RP is enabled and appropriate. As this is basically a "is RF turned on?" flag, why not just call it that?

Re: Password autofilling

On 01/01/18 20:08, Jonathan Kingston wrote: > A recent research post[1] have highlighted the need for Firefox to disable > autofilling of credentials. The research post suggests web trackers are > using autofilling to track users around the web. Autofill is restricted to same-domain (roughly) so

Re: Intent to unship: navigator.registerContentHandler()

On 03/01/18 15:15, Jonathan Kingston wrote: > I am suggesting the removal of navigator.registerContentHandler > > API used to register a web page to handle content types. I'm sure unshipping it is the right thing

Re: Intent to remove Ambient Light and Proximity sensor APIs

On 18/12/17 18:25, Tantek Çelik wrote: > Do you know of a specific (URL?) mobile-device-capable (which > device(s)?) WebRTC-based audio-calling webapp that works today? I > would be very interested in testing it out. appear.in, which supports both audio and video calling via WebRTC, works in

Re: Intent to remove Ambient Light and Proximity sensor APIs

On 17/12/17 15:29, Jonathan Kingston wrote: > I am suggesting the removal of both Ambient Light and Proximity Sensor APIs > via a preference so we can ensure there is no adverse impact to the web > with a quick mitigation if needed. Is it fair to say that after removal of the Proximity Sensor

Re: Stylesheet wait timeout?

On 31/08/17 19:08, Boris Zbarsky wrote: > The symptoms you observe sound like (A) is happening, possible from an > extension or our browser UI...  If you have a link to a specific url > that reproduces for you, especially in a clean profile, that would be > pretty useful.  This is usually pretty

Re: Stylesheet wait timeout?

On 31/08/17 20:00, Michael Froman wrote: > I’ve seen this behavior too on OSX. I did a restart with all add-ons > disabled and could not reproduce. Restarted with all add-ons on, and > can reproduce. I narrowed it down to Ghostery. If I disable > Ghostery, it no long appears to happen for me.

Re: Stylesheet wait timeout?

On 31/08/17 18:45, Chris Peterson wrote: > Gerv, do you have Stylo enabled? Even if you did not flip the pref > (layout.css.servo.enabled), you might be in the Stylo experiment for > Nightly users. Check about:support for "Stylo". about:support says "Stylo: true (enabled by default)". Gerv

Re: Stylesheet wait timeout?

On 18/08/17 12:11, Gervase Markham wrote: Whereas what I meant to say was: Have we changed the timeout recently regarding how long Firefox waits for a stylesheet before rendering the page? In the past few weeks I've seen many more instances of a page loading unstyled, then re-laying out

Stylesheet wait timeout?

___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform

Re: IDNA processing

On 18/05/17 14:14, Anne van Kesteren wrote: > That's fairly non-specific, unless you really mean that you don't want > "A" lowercased. Well, yes, as you note, with UTS#46 or whatever it is. > I don't think it's that big, there's plenty of other things disallowed > that we should always be able

Re: IDNA processing

On 12/05/17 08:46, Anne van Kesteren wrote: > For about five years I've been trying to figure out the IDNA algorithm > that a) browsers follow and b) browsers want to follow, but I've not > had much luck thus far getting folks to reply. E.g., >

Re: Ambient Light Sensor API

On 25/04/17 16:46, Eric Rescorla wrote: > This suggests that maybe we could just turn it off It would be sad to remove a capability from the web platform which native apps have. Surely we can avoid this problem without being so drastic? Is it right that one key use of this sensor is to see if the

Re: Better download security through browsers

On 24/03/17 17:12, Gregory Szorc wrote: > This got me thinking: why doesn't the user agent get involved to help > provide better download security? What my (not a web standard spec author) > brain came up with is standardized metadata in the HTML for the download > link (probably an ) that defines

Re: ANN: Default bug view for BMO changed today!

On 02/03/17 17:11, Byron Jones wrote: > set "Use absolute format instead of relative time when viewing a bug" Or if you just want to see it, mouse over and read the tooltip. Gerv ___ dev-platform mailing list dev-platform@lists.mozilla.org

Re: What are your use cases for the Touch Bar on the new MacBook Pro?

On 03/01/17 17:17, Stephen A Pohl wrote: > We are gathering ideas for possible use cases of the Touch Bar on the > new MacBookPro and would like to hear from you! What would improve your > workflow? What would help our users? When the developer tools are open, change the Touch Bar to give quick

Re: Intent to ship: NetworkInformation

On 16/12/16 20:25, Jason Duell wrote: > So a switch that toggles the "network is expensive" bit, plus turns off > browser updates, phishing list fetches, etc? I can see how this would be > nice for power users on a tethered cell phone network. One issue would be > to make sure users don't forget

Re: Intent to ship: NetworkInformation

On 15/12/16 14:20, Daniel Stenberg wrote: > Looking at that collection of existing user, basically all of them want > the user to anser this question: > > "Use expensive traffic (y/n)" And this should be an OS-level switch which the browser and other apps both respect and reflect. Doesn't

Re: RSSOwl

Hi Jonathan, On 22/11/16 08:30, Jonathan Moore wrote: > I was wondering if the RSSOwl feed reader could become part of the > Mozilla foundation? > Anyone have any thoughts? Well, Mozilla very rarely adopts projects started outside itself in this way. Perhaps Rust is the only example I can think

Re: Windows XP and Vista Long Term Support Plan

On 24/10/16 18:44, Eric Rescorla wrote: > This seems to assume facts not in evidence, namely that people will stop > using those > machines rather than just living with whatever the last version we updated > them to. I think you've misread what I said. I said that if it turns out that (for

Re: Intent to restrict to secure contexts: navigator.geolocation

On 24/10/16 21:12, Ehsan Akhgari wrote: > I suppose we can use the HTTPS Everywhere ruleset for this purpose, > assuming it's something we can (and want to) ship? Shipping this seems like a heavyweight way to deal with the deprecation of the geolocation permission. If we want to implement HTTPS

Re: Intent to restrict to secure contexts: navigator.geolocation

On 22/10/16 18:12, Ehsan Akhgari wrote: > Have we considered doing something here to help the user when we block > this API? For example, we could check to see whether the site has a TLS > version If there were a reliable way to do this, HTTPS Everywhere would be a whole lot easier to write and

Re: Intent to restrict to secure contexts: navigator.geolocation

On 22/10/16 18:12, Ehsan Akhgari wrote: > Have we considered doing something here to help the user when we block > this API? For example, we could check to see whether the site has a TLS > version If there were a reliable way to do this, HTTPS Everywhere would be a whole lot easier to write and

Re: Windows XP and Vista Long Term Support Plan

On 22/10/16 10:16, keithgallis...@gmail.com wrote: > My concern is that by killing digital certificate updates and TLS > updates, still in use machines whose main purpose is Internet access > are essentially bricked. This is a feature, not a bug. If those machines shouldn't be on the Internet,

Re: Want to learn TLS certificate verification best practices

Hi Ben, This question might be better off in mozilla.dev.tech.crypto. On 30/09/16 23:00, Ben Cottrell wrote: > I'm working on an (unfortunately closed-source) project that needs > to closely approximate the behavior of an actual web browser, in > the limited scope of making HTTPS connections and

Re: Report your development frustrations via `mach rage`

On 09/08/16 08:57, Chris Mills wrote: > mach issue > mach complain > mach complaint > mach feedback? (does it have to be negative, necessarily?) mach itbetter ? mach animprovement ? :-) Gerv ___ dev-platform mailing list

Re: Owner for Commit Access Policy

On 04/08/16 16:22, Hal Wine wrote: > On Thu, Aug 4, 2016 at 1:48 AM, Gervase Markham <g...@mozilla.org > <mailto:g...@mozilla.org>> wrote: > > I had a few abortive goes at this a few years ago; it's an enormous > effort to get everyone on the sam

Re: Owner for Commit Access Policy

On 04/08/16 06:06, Gregory Szorc wrote: > I'm going to say something that might be a bit contentious: I think a > single commit access policy for all of Mozilla reflects the needs of > Mozilla from several years ago, not the needs of Mozilla today. The world > has changed. Mozilla has changed. The

Re: Triage Plan for Firefox Components

On 12/04/16 21:01, Mark Côté wrote: > Meant to reply to this earlier... BMO has a User Story field that sounds > like it does exactly what you want. It's an editable field that keeps > history (admittedly not in an easy-to-read way, but that could be > improved). Despite the name of the field,

Re: Triage Plan for Firefox Components

On 01/04/16 15:51, Mike Hommey wrote: > Bug status is currently, IMHO, completely misused and thus useless: > - people with editbug capability file as NEW by default. Why should a bug > I file in a component I'm not working on (because I noticed a bug > in Firefox) be NEW? > - there is a long

Re: Are we in favour of implementing the client hints header?

On 08/03/16 06:22, Andrew Overholt wrote: > Implement Client-Hints HTTP header > https://bugzilla.mozilla.org/show_bug.cgi?id=935216 Well, we are in favour of adaptive content, progressive enhancement, responsive images in HTML, and feature detection. The question is whether we think that these

Re: APNG and Accept-Encoding

On 22/02/16 14:58, Xidorn Quan wrote: > But older Firefoxes go away fairly quickly, so I wouldn't consider > this as a valid reason blocking us moving forward. I'm not sure that's as true as we'd like it to be :-| Gerv ___ dev-platform mailing list

Re: APNG and Accept-Encoding

On 21/02/16 14:30, maxste...@gmail.com wrote: > Here's interesting live example, this website provides lots of > animated cursors to download, and they show them online as APNGs in > Firefox and Safari, and as GIFs in other browsers. Cursor's ANI > format is 32bit and animated, but it's not

Re: APNG and Accept-Encoding

On 18/02/16 07:45, Jeff Muizelaar wrote: > Is there a response to the criticism of Accept outlined here: > https://wiki.whatwg.org/wiki/Why_not_conneg#Negotiating_by_format As Guardian of the Accept Header, that would be my question too. Using Accept to detect APNG support will never be reliable

Re: Bug Program Next Steps

On 30/01/16 00:45, Emma Humphries wrote: > This is a terminal state for a NEW bug. We acknowledge the bug exists, it > affects people, but it is not important enough to warrant working on it. > The team will review and accept patches from the community for this bug > report. Without wanting to

Re: Dan Stillman's concerns about Extension Signing

On 27/11/15 15:50, Gavin Sharp wrote: > No, that's not right. There's an important distinction between > "finding malicious JS code" and "finding _all_ malicious JS code". The > latter is impossible, but the former isn't. > > Proving "the validator won't catch everything" isn't particularly >

Re: Dan Stillman's concerns about Extension Signing

On 26/11/15 17:13, Mike Hoye wrote: > Stillman wrote some new code and put it through a process meant to catch > problems in old code, and it passed. That's unfortunate, but does it > really surprise anyone that security is an evolving process? That it > might be be full of hard tradeoffs? There

Re: Fido U2F, two-factor authentication support

On 18/11/15 19:26, phow...@ccvschools.com wrote: > This is definitely an important feature, but I'm not holding my > breath. I have had a lot of experience with Mozilla over the years > and I really doubt anything will materialize in the near future. Feeling particularly entitled today, are we?

Re: Intent to ship: WebVR

On 29/10/15 17:07, vladi...@mozilla.com wrote: >> At one point, integrating with available hardware required us to use >> proprietary code. Is shipping proprietary code in Firefox any part of >> this plan, or not? > > No. Awesome! :-) Gerv ___

Re: Intent to ship: WebVR

On 26/10/15 19:19, Kearwood "Kip" Gilbert wrote: > As of Oct 29, 2015 I intend to turn WebVR on by default for all > platforms. It has been developed behind the dom.vr.enabled preference. > A compatible API has been implemented (but not yet shipped) in Chromium > and Blink. At one point,

Re: Changes in chrome JS code due to ES6 global lexical scope

On 17/09/15 19:59, Shu-yu Guo wrote: > ​Because ​until now, our global 'let' semantics have been identical to > those of 'var', I have already landed a patch that mass replaces global > 'let' with 'var' as part of bug 1202902. I think someone should make you a "var is the new let" t-shirt...

Re: Web API equivalent of nsIEffectiveTLDService / publicsuffix.org database?

On 09/08/15 03:10, Andrew Sutherland wrote: On 08/08/2015 10:00 PM, Andrew Sutherland wrote: Are there any plans to surface the contents of https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDService from https://publicsuffix.org/ via a web-facing

Re: Web API equivalent of nsIEffectiveTLDService / publicsuffix.org database?

On 09/08/15 10:51, Anne van Kesteren wrote: There is https://www.w3.org/Bugs/Public/show_bug.cgi?id=25865 which is about more formally defining eTLDs and perhaps even exposing an API. However, it's unclear whether exposing an API is a good thing. eTLDs are used for cookies, storage boundaries

Re: Proposed W3C Charters: Web Platform and Timed Media Working Groups

On 09/08/15 19:59, L. David Baron wrote: The Timed Media WG splits some of the media work that was happening in HTML (MSE, EME) into a separate group. Do we see a risk here that this group will become captured by the promoters of DRM, more than was possible when it was done in the HTML WG?

Re: Web API equivalent of nsIEffectiveTLDService / publicsuffix.org database?

On 10/08/15 08:22, Tim Guan-tin Chien wrote: The list ... changes a few times per month [1]. What's the consequence of using an outdated list in the app? It depends very much on what you are using the list for, and what changes your copy doesn't have. If you were using the list for setting

Re: LGPL external library support in gecko

On 08/07/15 07:17, Kyle Machulis wrote: If you've had requirements for an external library with an LGPL license, we now have a place to put them. There's still some odd things that you have to do with symbol visibility to get this to work (feel free to ping me or hit #build on IRC if you have

Re: State synchronization - use cases?

At last! Hallelujah! :-) On 26/06/15 10:38, Richard Barnes wrote: 1. You want every browser to have the same set of data 2. The data change relatively slowly (we are aiming for ~24hr deliveries) If anyone has use cases in addition to the above, please let me know. * The Public Suffix List.

Re: Voting in BMO

On 09/06/15 23:07, Mark Côté wrote: I would ask, then, what the purpose of the feature is. If we know it isn't used to make decisions, why use it? The only thing I can think of is as a sort of spam honeypot, to get people to not +1 or me too bugs, but this seems strange at best and actively

Re: Intent to implement and ship: document.execCommand(cut/copy)

On 06/05/15 08:00, Tantek Çelik wrote: Result: loss of user data that user had put into the clipboard previously. This isn't possible with current DOM APIs and is a new vulnerability introduced by cut/copy. Given that most text-editing applications have undo (if you used cut originally), this

Re: Intent to implement and ship: document.execCommand(cut/copy)

On 06/05/15 18:36, Tom Schuster wrote: I think the ribbon would be really useful if it allowed the user to restore the previous clipboard content. However this is probably not possible for all data that can be stored in clipboards, i.e. files. Which is why we wouldn't overwrite the clipboard

Re: Intent to implement and ship: document.execCommand(cut/copy)

On 06/05/15 19:38, Adam Roach wrote: action. I think this position is pretty strongly bolstered by Dave Graham's message about GitHub behavior: Although IE 11 supports this API as well, we have not enabled it yet. The browser displays a popup dialog asking the user for permission to copy to

Re: Intent to deprecate: Insecure HTTP

On 01/05/15 19:02, Matthew Phillips wrote: You must have missed my original email: It's paramount that the web remain a frictionless place where creating a website is dead simple. That is not true today of people who want to run their own hosting. So people who want frictionless use

Re: Intent to deprecate: Insecure HTTP

On 03/05/15 03:39, Xidorn Quan wrote: This has been happening in the Internet in China. I would suggest you use 360 Secure Browser, one of the major browsers in China. They completely consider the experience of developers and users. Their browser allows user to access a website even if the

Re: Intent to deprecate: Insecure HTTP

On 01/05/15 20:40, Eric Shepherd wrote: In my case, the situation is that I have classic computers running 1-10 megahertz processors, for which encrypting and decrypting SSL is not a plausible option. For this edge case, I would say the solution is to use a proxy, run on one of your other

Re: Intent to deprecate: Insecure HTTP

On 24/04/15 23:06, Roger Hågensen wrote: On Tuesday, April 21, 2015 at 2:56:21 PM UTC+2, Gervase Markham wrote: This makes checking in with the browser maker a necessary prerequisite for secure connections. That has problems. How so? Certificates have to be checked today as well

Re: Intent to deprecate: Insecure HTTP

Very briefly: On 21/04/15 12:43, skuldw...@gmail.com wrote: 1. User downloads a browser (be it Firefox, Chrome, Opera, etc.) securely (https?) from the official download location. 2. Upon installation a private key is created for that browser installation and signed by the browser's

Re: Intent to deprecate: Insecure HTTP

On 16/04/15 02:13, Karl Dubost wrote: Definitely. The resistance in this thread is NOT about people against security, but 1. we want to be able to choose 2. if we choose safe, we want that choice to be easy to activate. I'd have it the other way. If you even assume choice should be possible

Re: Intent to deprecate: Insecure HTTP

On 14/04/15 22:59, northrupthebandg...@gmail.com wrote: The article assumes that when folks connect to something via SSH and something changes - causing MITM-attack warnings and a refusal to connect - folks default to just removing the existing entry in ~/.ssh/known_hosts without actually

Re: Intent to deprecate: Insecure HTTP

On 14/04/15 17:46, j...@chromium.org wrote: I just wanted to mention that regarding subresource integrity (https://w3c.github.io/webappsec/specs/subresourceintegrity/), the general consensus over here is that we will not treat origins as secure if they are over HTTP but loaded with integrity.

Re: Intent to deprecate: Insecure HTTP

On 14/04/15 13:32, Eric Shepherd wrote: My main concern with the notion of phasing out unsecured HTTP is that doing so will cripple or eliminate Internet access by older devices that aren't generally capable of handling encryption and decryption on such a massive scale in real time. While

Re: Intent to deprecate: Insecure HTTP

On 14/04/15 16:39, david.a.p.ll...@gmail.com wrote: There are already multiple sources of free publicly-trusted certificates, with more on the way. https://www.startssl.com/ https://buy.wosign.com/free/ https://blog.cloudflare.com/introducing-universal-ssl/ https://letsencrypt.org/ I

Re: Intent to deprecate: Insecure HTTP

On 15/04/15 10:59, Anne van Kesteren wrote: HTTPS already has mixed content, we should not make it worse. What's actually wrong with mixed content? 1) The risk of content tampering. Subresource integrity makes that risk go away. 2) Reduced privacy. And that's why the connection would be marked

Re: Intent to deprecate: Insecure HTTP

On 14/04/15 08:47, david.a.p.ll...@gmail.com wrote: realistic idea. Meanwhile, HTTPS exists, is widely deployed, works, and is the focus of this thread. http://www.zdnet.com/article/google-banishes-chinas-main-digital-certificate-authority-cnnic/ Sure it works :) Yep. That's the

Re: Intent to deprecate: Insecure HTTP

On 14/04/15 01:57, northrupthebandg...@gmail.com wrote: * Less scary warnings about self-signed certificates (i.e. treat HTTPS+selfsigned like we do with HTTP now, and treat HTTP like we do with HTTPS+selfsigned now); the fact that self-signed HTTPS is treated as less secure than HTTP is - to

Re: Intent to deprecate: Insecure HTTP

On 13/04/15 15:57, Richard Barnes wrote: Martin Thomson and I drafted a one-page outline of the plan with a few more considerations here: https://docs.google.com/document/d/1IGYl_rxnqEvzmdAP9AJQYY2i2Uy_sW-cg9QI9ICe-ww/edit?usp=sharing Are you sure privileged contexts is the right phrase?

Re: Intent to deprecate: Insecure HTTP

On 13/04/15 18:40, DDD wrote: I think that you'll need to define a number of levels of security, and decide how to distinguish them in the Firefox GUI: - Unauthenticated/Unencrypted [http] - Unauthenticated/Encrypted [https ignoring untrusted cert warning] - DNS based auth/Encrypted

Re: Chrome removed support for multipart/x-mixed-replace documents. We should too.

On 12/03/15 16:04, Seth Fowler wrote: It looks like it doesn’t anymore, because it works fine in Chrome. It does; it browser-sniffs. Gerv ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform

Re: Project Silk on Desktop

On 11/03/15 18:12, Mason Chang wrote: Project Silk (http://www.masonchang.com/blog/2015/1/22/project-silk), which aligns rendering to vsync, will be landing over the next couple of weeks (bug 1071275). You should expect smoother animations and scrolling while browsing the web. It'll land in 4

Re: Permission UI

On 05/03/15 07:40, Anne van Kesteren wrote: This would require everything that's like github.io to register as a public suffix. github.io already is a public suffix :-) If some private entity is handing out subdomains to mutually-untrusting 3rd parties, there are a number of reasons they

Re: HTTP/2 and User-Agent strings?

On 05/02/15 02:24, Karl Dubost wrote: Maybe something we can discuss soon: Feb 18, 2015. Some Microsoft people will be there. https://wiki.mozilla.org/WebCompat_Summit_%282015%29#Summit_Schedule Yes; I'd love to hear their take on this. Duelling product groups in Microsoft? Gerv

Re: HTTP/2 and User-Agent strings?

On 28/01/15 15:45, Gijs Kruitbosch wrote: That's IE11, which is not the same as Spartan. Hmm. I'm surprised that having managed to trim down the UA for IE 11 to be not old IE, standards compliant stuff please, they then take the opposite approach with Spartan, when they want to send basically

Re: HTTP/2 and User-Agent strings?

On 27/01/15 09:16, Chris Peterson wrote: btw, here is the spartan User-Agent string for Microsoft's new Spartan browser: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0 Really?

Re: landing soon: core APIs for VR

On 19/11/14 17:15, Vladimir Vukicevic wrote: - Figure out how to ship/package/download/etc. the Oculus runtime pieces. The last discussions on these were that you were planning to approach Oculus to enquire about getting them under an open source license. How did that go? If that's not going

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS

On 18/11/14 04:03, voracity wrote: The issue isn't that people are cheapskates, and will lose 'a few dollars'. The issue is that transaction costs http://en.wikipedia.org/wiki/Transaction_cost can be crippling. https://letsencrypt.org/ . Gerv ___

Re: Moratorium on new XUL features

On 15/10/14 14:24, Boris Zbarsky wrote: I haven't thought much about #3; it's somewhat in its own little world and has no web tech equivalent. Although glazou did propose one a decade ago: http://disruptive-innovations.com/zoo/20040830/HTMLoverlays.html Gerv

Re: Intent to implement: WOFF2 webfont format

On 08/10/14 15:44, Patrick McManus wrote: I'm not aware of font negotiation - but negotiation is most useful when introducing new types (such as woff2). The google compression proxy already does exactly that for images and people are successfully using the AWS cloudfront proxy in environments

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS

On 15/09/14 16:34, Anne van Kesteren wrote: It seems very bad if those kind of devices won't use authenticated connections in the end. Which makes me wonder, is there some activity at Mozilla for looking into an alternative to the CA model? What makes you think that switching away from the CA

Re: Intent to implement: webserial api

On 13/07/14 18:35, tzi...@gmail.com wrote: Jonas, I would be really interested in your thoughts. Try as we might (in the WebSerial API docs, at least), noone could actually think of a use case where providing access to a physical (RS232), or Virtual (VirtualUSB or VirtualBluetooth) serial port

Re: B2G, email, and SSL/TLS certificate exceptions for invalid certificates

On 30/05/14 18:53, Joshua Cranmer  wrote: Forgive me, but that sounds like I'm going to propose a solution with one glaring flaw that has always sunk it in the past, and then gloss over that flaw by saying 'I don't have the security experience - someone else fix it'. Actually, that is

Re: Intent to Implement: Encrypted Media Extensions

On 27/05/14 19:44, Chris Pearce wrote: Encrypted Media Extensions specifies a JavaScript interface for interacting with plugins that can be used to facilitate playback of DRM protected media content. We will also be implementing the plugin interface itself. We will be working in partnership

Re: B2G, email, and SSL/TLS certificate exceptions for invalid certificates

On 29/05/14 07:01, Mike Hoye wrote: It's become clear in the last few months that the overwhelmingly most frequent users of MITM attacks are state actors with privileged network positions either obtaining or coercing keys from CAs, I don't think that's clear at all. Citation needed. I think

Re: B2G, email, and SSL/TLS certificate exceptions for invalid certificates

On 28/05/14 17:49, Joshua Cranmer  wrote: * Insufficiently secure certificate (e.g., certificates that violate CA/Browser Forum rules or the like. I don't know if we actually consider this a failure right now, but it's a reasonable distinct failure class IMHO) We would refuse e.g. a cert

Re: Intent to implement: WebGL 2.0

On 08/05/14 12:56, Benoit Jacob wrote: (*plug*) this might be useful reading: https://hacks.mozilla.org/2013/04/the-concepts-of-webgl/ Comedy. I just read that article, and thought this article is awesomely useful. I then looked at the comments, and it turned out that the first comment is from

Re: Spring cleaning: Reducing Number Footprint of HG Repos

On 27/03/14 00:53, Taras Glek wrote: *User Repos* TLDR: I would like to make user repos read-only by April 30th. We should archive them by May 31st. I think that if you truly intend to go ahead with this, the news will need way, way wider circulation than mozilla.dev.platform. I have some

Re: Including Adobe CMaps

On 26/02/14 20:21, Jonathan Kew wrote: Lets turn this question around. If we had an on-demand way to load stuff like this, what else would we want to load on demand? A few examples: Spell-checking dictionaries Hyphenation tables Fonts for additional scripts If this came with an update

Re: Including Adobe CMaps

On 28/02/14 12:37, Jonathan Kew wrote: Presumably we always want the complete PSL available. So it really should be part of the base product, not a [try-to-]load-on-demand resource. I was proposing it be part of the base product, but updated on demand. Isn't it sufficient to update that with

Re: Mozilla style guide issues, from a JS point of view

On 07/01/14 22:26, Jeff Walden wrote: which was unreadable. You simply can't easily skim and see where the body starts and where the condition ends, even with braces. We shoved the opening brace to its own line: if (somethingHere() somethingElse()) { doSomething(); } AIUI,

Re: Mozilla style guide issues, from a JS point of view

On 07/01/14 00:46, Jeff Walden wrote: JS widely uses 99ch line lengths (allows a line-wrap character in 100ch terminals). Given C++ symbol names, especially with templates, get pretty long, it's a huge loss to revert to 80ch because of how much has to wrap. Is there a reason Mozilla couldn't

Re: Should we disable autoplay feature of HTMLMediaElement on mobile?

On 08/12/13 12:28, Tetsuharu OHZEKI wrote: On today's web, there are many interactive web sites which play sounds when open them. I suspect this is somewhat dependent on your culture and environment; it's not a problem on the set of websites I visit :-) Some of them are not controlled by

Re: Is there any reason not to shut down bonsai?

On 21/11/13 21:12, Laura Thomson wrote: bonsai is old code, and written in very old-fashioned perl. As such, security bugs are frequently filed against it, and it's very hard to find people who are willing and able to fix them. If you are willing and able, let me know: I can hook you up with

Re: Cost of ICU data

On 15/10/13 17:06, Benjamin Smedberg wrote: With the landing of bug 853301, we are now shipping ICU in desktop Firefox builds. This costs us about 10% in both download and on-disk footprint: see https://bugzilla.mozilla.org/show_bug.cgi?id=853301#c2. After a discussion with Waldo, I'm going to

Re: Cost of ICU data

On 16/10/13 14:47, Anne van Kesteren wrote: The API is synchronous so that seems like a bad idea. As in, it'll cause the tab to freeze (one time only, when a new language is called for) while the file is downloading? OK, that's bad, but so is having Firefox be a lot bigger... Perhaps, as Brian

Re: What platform features can we kill?

On 10/10/13 00:28, Philipp Kewisch wrote: So you are saying, we should start removing features that could decrease the attack surface? ...and that we don't need. What I'm saying is: perhaps feature-ectomies (and driving the web or our code to a position where we can make them) may be higher

What platform features can we kill?

Attack surface reduction works: http://blog.gerv.net/2013/10/attack-surface-reduction-works/ Removing E4X broke the NSA's EGOTISTICALGOAT attack - a type confusion vulnerability in E4X. In the spirit of learning from this, what's next on the chopping block? A quick survey of the security-group

Re: Detection of unlabeled UTF-8

On 06/09/13 16:17, Adam Roach wrote: To the first point: the increase in complexity is fairly minimal for a substantial gain in usability. Absent hard statistics, I suspect we will disagree about how fringe this particular exception is. Suffice it to say that I have personally encountered it

Re: Detection of unlabeled UTF-8

On 29/08/13 19:41, Zack Weinberg wrote: All the discussion of fallback character encodings has reminded me of an issue I've been meaning to bring up for some time: As a user of the en-US localization, nowadays the overwhelmingly most common situation where I see mojibake is when a site puts

Re: Intent to implement: NavigationController

On 08/08/13 23:52, Ehsan Akhgari wrote: I think you forgot the bug number. :-) Ehsan: any chance you could trim your responses? I had to page-down 9 times in my mail client just to read this one line... Thanks :-) Gerv ___ dev-platform mailing list

Re: On indirect feedback

On 05/08/13 14:53, Bas Schouten wrote: Although I agree fully that by far the best way of offering feedback is by talking to that person directly. I do think we have to face the fact that at this point in time a significant amount of people find it very hard to speak to people directly about

Re: Generic data update service?

On 15/07/13 14:57, Benjamin Smedberg wrote: Or it means that we need to be willing to issue dot-releases to update these items. We're pretty nimble with the desktop release cycle already. We should definitely measure this tradeoff before doing a bunch of engineering on this. As I understand

Re: review stop-energy (was 24hour review)

On 11/07/13 14:24, Boris Zbarsky wrote: On 7/11/13 7:59 AM, Gervase Markham wrote: Hey, if we had a PTO app that tracked all absences, we could integrate with it... sigh Just in case you were talking about the moco PTO app, it doesn't track absences for non-MoCo employees, and even

  1   2   >