mozilla :: #security

13 Sep 2017
00:33solenodicin nightly, what's with all the CORS errors on a bunch of websites
00:34solenodicwith inline scripts
00:34solenodicany quick fix before websites fix their CORS settings?
00:35solenodicspecifically, "Content Security Policy: The pages settings blocked the loading of a resource at self (script-src 'unsafe-eval' *)."
00:36solenodicnevermind, it is an addon causing the problem
07:36freddybwxl: no, not from the top of my head. maybe https://wiki.mozilla.org/CA/Incident_Dashboard#Open_CA_Compliance_Bugs is useful?
07:36freddybsolenodic: glad to hear it was an add-on misbehaving.
07:37freddybsolenodic: rather, I'm glad to hear it was not a CSP/CORS bug in Nightly :-) if the addon is misbehaving badly enough that someone should do something about it, let us know through the addon feedback/report channels :-)
15:38casperlHi, are bugs found in nightly eligible for bug bounty?
15:43gsnedderscasperl: https://www.mozilla.org/en-US/security/bug-bounty/faq/#development-releases
15:43gsnedderscasperl: so yes, if it still exists in mozilla-central when you report it
15:44* gsnedders isn't really affiliated with Mozilla so don't take their word as gospel
15:45Alex_Gaynorgsnedders: I think you're on solid ground, quoting from our own policy
15:46gsneddersAlex_Gaynor: Yeah but I'm trying to read ten things at once so I'm not promising I've read it correctly :)
15:50casperlSo where is nightly repo, I only see mozilla-central in https://hg.mozilla.org/
15:53Alex_Gaynorcasperl: mozilla-central is the nightly repo; twice a day a nightly release is produced from it
15:55casperlOh.. I see
15:58freddybcasperl: a bit older, but this blog post still has some great valid points even for non-fuzzing bounty hunters. https://blog.mozilla.org/security/2012/06/20/7-tips-for-fuzzing-firefox-more-effectively/
15:58freddybcasperl: one of the tips is actually explicitly about testing against our nightly versions (i.e., the mozilla-central repo)
15:59casperlI still have a question. for example, 54 nightly version and 53 Aurora are both developed at the same time. So are they in different repos or they are in the same repo such as mozilla-central?
15:59casperlfreddyb: I'll see :)
15:59freddybbbl
16:09wxlfreddyb: i did some heavy reading on the list since june or so (dang, that's a lot) and from what i can gather, no official announcement has been made. a draft proposal exists, and the predominant suggestion seems to be to follow google's timeline, but nothing clear wrt firefox specifically. if you see anything, please ping me!
16:53Caspy7for those who haven't seen yet, there is apparently a new and great horror for the computer world https://youtu.be/LLNtZKpL0P8
16:54Caspy7basically every BlueTooth enabled device is vulnerable to infection
16:54Caspy7https://www.armis.com/blueborne/
17:30* hwine is glad my refrigerator isn't affected
18:38jesupIn you-can't-even-call-this-security....: https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/
14 Sep 2017
No messages
   
Last message: 6 days and 20 hours ago