Re: Intent to prototype: Delegate and restrict permission in third party context

How will you leak Geo Location, Camera data, etc, using HTML injecting? I’m saying the origin is vulnerable to HTML injection, and origin is not malicious. ___ dev-platform mailing list dev-platform@lists.mozilla.org

Re: Opt your try pushes into Pernosco

On Mon, Nov 25, 2019 at 10:16 AM Valentin Gosu wrote: > On Mon, 25 Nov 2019 at 18:29, Andrew Halberstadt wrote: > >> Hi everyone, >> >> As of now, you can opt-in to Pernosco analysis on >> your >> try pushes by running: >> >> $ ./mach try fuzzy --pernosco >> >> or: >> >> $

Re: Intent to prototype: Delegate and restrict permission in third party context

Hi Thomas, Thank you for pushing feature policy over the finish line and making the web a safer place! Best Nils Ohlmeier > On 25Nov, 2019, at 04:41, Thomas Nguyen wrote: > > Summary: People don’t have a good understanding of iframes, because > generally, no UI indicates that iframes are

Re: Opt your try pushes into Pernosco

On Mon, Nov 25, 2019 at 1:33 PM Kyle Huey wrote: > > On Mon, Nov 25, 2019 at 10:16 AM Valentin Gosu > wrote: > >> I only have push permissions on my @gmail account, not on my @mozilla.com >> one. >> Does this mean I can't trigger a --pernosco try build, or that I need to >> log with my @moz

Re: Intent to prototype: Delegate and restrict permission in third party context

On Wednesday, November 27, 2019 at 4:55:35 PM UTC+1, s.h...@gmail.com wrote: > How will you leak Geo Location, Camera data, etc, using HTML injecting? I’m > saying the origin is vulnerable to HTML injection, and origin is not > malicious. Thanks, yes, that is a consideration we should care

PSA: Expect decision task bustage from pushes using |mach try again| after pulling central

Hey everyone, Bug 1496768 changed the format of try_task_config.json, the mechanism we use to pass context surrounding your try pushes to the decision task. Since `mach try again` works by saving generated `try_task_configs` in a history

Re: Intent to prototype: Delegate and restrict permission in third party context

On Monday, November 25, 2019 at 10:38:28 PM UTC+1, s.h...@gmail.com wrote: > 1. If a user already gave permission to certain origin (e.g. skype.com), and > that origin had HTML injection, does that mean attacker can now silently > inherit permission from skype.com? > > 2. If so, how can a

Re: Intent to prototype: Delegate and restrict permission in third party context

1. If a user already gave permission to certain origin (e.g. skype.com), and that origin had HTML injection, does that mean attacker can now silently inherit permission from skype.com? 2. If so, how can a website mitigate the risk of permission being silently taken to third party website?

Re: PSA: The `mach bootstrap` installed Mercurial `evolve` extension needs an update

Note that running `./mach vcs-setup` will do this, when it prompts: It looks like the setup wizard has already installed a copy of the evolve extension on your machine, at {evolve_dir}. (Relevant config option: extensions.evolve) Would you like to update evolve to the latest version? (Yn)

Proposed W3C Charter: Web Payments Working Group

The W3C is proposing a revised charter for: Web Payments Working Group https://www.w3.org/Payments/WG/charter-201910.html https://lists.w3.org/Archives/Public/public-new-work/2019Nov/0003.html The differences from the previous charter are:

Re: Intent to prototype: Delegate and restrict permission in third party context

On Wednesday, November 27, 2019 at 7:50:46 PM UTC+1, s.h...@gmail.com wrote: > >Conversely, there would be another attack to link to > >attacker spaces on already-trusted sites (but no top-level) >and get > >silently access too. > That is not silent, because user would have already granted

PSA: The `mach bootstrap` installed Mercurial `evolve` extension needs an update

Mercurial was broken for me this morning after updating Homebrew packages on macOS. It seem that `mach bootstrap` does not yet update it's copy of the Evolution extension to be sufficiently new. An `hg pull -u` in `$HOME/.mozbuild/evolve` fixes things. I filed

Re: Soft code freeze for Firefox 72 starts November 25

The next merge to central will have a 73 milestone, so please consider the soft freeze lifted. Thanks, Julien On Thu, Nov 21, 2019 at 4:25 PM Julien Cristau wrote: > Hi all, > > we're fast approaching the start of the 72 beta cycle on December 2nd, > with our "Feature complete" milestone for

Re: PSA: The `mach bootstrap` installed Mercurial `evolve` extension needs an update

(Conversation taken to the bug.) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to prototype: Delegate and restrict permission in third party context

>Conversely, there would be another attack to link to >attacker spaces on already-trusted sites (but no top-level) >and get silently >access too. That is not silent, because user would have already granted permission to that origin to access in previous model. >Besides, if a user granted

Proposed W3C Charter: Service Workers Working Group

The W3C is proposing a revised charter for: Service Workers Working Group https://www.w3.org/2019/11/proposed-sw-wg-charter-2019.html https://lists.w3.org/Archives/Public/public-new-work/2019Nov/0004.html The differences from the previous charter are:

Re: Intent to prototype: Delegate and restrict permission in third party context

On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > Summary: People don’t have a good understanding of iframes, because > generally, no UI indicates that iframes are visible on a page, or what > their origin is. Permission requests from iframes cause significant > confusion

Re: Intent to implement and ship: WebXR Device API in Firefox Nightly

On Tuesday, August 28, 2018 at 5:16:14 PM UTC-7, kgil...@mozilla.com wrote: > Hi David, > > These are all great points, thanks for reviewing this. > > The intent is to not allow WebXR in any iframe (not just sandboxed ones), > until the discussions have settled. I appreciate the feedback on

Re: Intent to prototype: Delegate and restrict permission in third party context

On Tuesday, November 26, 2019 at 1:03:01 AM UTC+1, kgil...@mozilla.com wrote: > On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > > Summary: People don’t have a good understanding of iframes, because > > generally, no UI indicates that iframes are visible on a page, or what

Proposed W3C Charter: Second Screen Working Group

The W3C is proposing a revised charter for: Second Screen Working Group https://w3c.github.io/secondscreen-charter/ https://lists.w3.org/Archives/Public/public-new-work/2019Nov/.html The differences from the previous charter are:

Re: Intent to prototype: Delegate and restrict permission in third party context

On Tuesday, November 26, 2019 at 1:03:01 AM UTC+1, kgil...@mozilla.com wrote: > On Monday, November 25, 2019 at 9:29:10 AM UTC-8, Thomas Nguyen wrote: > > Summary: People don’t have a good understanding of iframes, because > > generally, no UI indicates that iframes are visible on a page, or what

Proposed W3C Charter: Web of Things Working Group

The W3C is proposing a revised charter for: Web of Things Working Group https://www.w3.org/2019/11/proposed-wot-wg-charter-2019.html https://lists.w3.org/Archives/Public/public-new-work/2019Nov/0005.html The differences from the previous charter are:

[desktop] Bugs logged by Desktop Release QA in the last 7 days

Hello, Here's the list of new issues found and filed by the Desktop Release QA team in the last 7 days. Additional details on the team's priorities last week, as well as the plans for the current week are available at: https://tinyurl.com/y2atdpjj. Bugs logged by Desktop Release QA in the

Removing "clipboard" tag for mochitest

The `clipboard` tag was used as a workaround to run clipboard tests on a separate platform. This workaround was removed in https://bugzilla.mozilla.org/show_bug.cgi?id=1546459, making the tag useless for automation. I plan to remove all the `clipboard` tags from the codebase in

Intent to prototype: Character encoding detector

# Summary The template says this section should state the benefit to Web developers. There is intentionally no benefit to Web developers. This pair of features is meant to benefit users who encounter badly-authored legacy pages, so that Firefox can retain users instead of the users trying in