mozilla :: #security

18 Apr 2017
08:18JuPanameyou need shell account for free ? contact me =)
08:18freddybthat sounds sketchy.
08:19freddybwe have shell accounts on, for contributors (or is it only paid staff??)
17:41sheppyWe have a doc bug asking if this sentence is correct. Anyone know if it is? "Stylesheets are considered active content, so content normally considered passive referenced from a stylesheet is considered mixed passive/display content."
17:49kbrosnansounds more like a bz/dbaron question
17:50kbrosnanor maybe jet as he is the manager for the style team last i knew
17:57sheppybz told me to ask in here. :D
17:58sheppyjet|tokyo: Do you know the answer to that?
18:29freddybsheppy: this seems like a question about mixed content blocking, i.e., a question for tanvi. but tanvi is on leave. I'm not sure who else worked on mixed content. maybe ckerschb or dveditz know? :D
18:30dveditzuh, huh.
18:30sheppyYeah, the original info for that article came from tanvi.
18:30dveditzthat's a confusing sentence
18:30sheppyHoping to find someone who can answer me now instead of waiting.
18:31sheppydveditz: I agree. Just not sure what to do with it.
18:31dveditzthere's two possible interpretations... securesite->securestyle->insecureimg (A) vs securesite->insecurestyle->img (B)
18:31dveditzin B we block the style (active content) so any "passive" items it references are missing not because they were blocked, but because we blocked our way of knowing about them
18:32freddybif (B), then insecurestyle would already not load (because passive), so there would never be any img. must be (A). no?
18:32dveditzin case (A) I think the image is still just "passive" and not blocked
18:32* freddyb nods
18:33sheppyFor context:
18:33dveditzsheppy: I think the statement is correct to the extent it's saying anything intelligible? but it's hard for me to interpret that sentence
18:34freddybit's not well explained, but the way you analyzed it makes sense to me, dveditz
18:35dveditzthe note says, basically, "passive content is passive content" I think? I'm not sure what stylesheets need to be called out there.
18:35freddybStylesheets are considered active content. Resources considered passive content (i.e., images) which are loaded through a stylesheet are still considered passive though.
18:36sheppyIt just means that loading an item that is normally passive content using a stylesheet means the item is instead passive/display.
18:36sheppyThat's what it's trying to say I think. L
18:36freddybhow about this as a replacement suggestion.
18:36freddybsheppy: "passive" is the same as "passive/display"
18:37sheppyYeah, hence the bug suggesting it should say "active".
18:37dveditzfurther down it says (under active content) All cases in CSS where a url value is used (@font-face, cursor, background-image, and so forth).
18:37sheppyBut it sounds like that's wrong?
18:37* freddyb tests
18:37dveditzso maybe the note should say "mixed ACTIVE" content, not "mixed passive"
18:38dveditzif that's true (could be?) then it would make sense to have to note that
18:38sheppyI think so. I think it's a typo, basically.
18:38dveditzbecause it seems odd
18:39sheppyI don't know. This is the sort of thing I rely heavily on others for when I document. :)
18:39dveditzI don't remember the spec making that distinction but I wasn't following it as closely since Tanvi had it handled
18:40dveditzthe _spec_ says "optionally blockable" content includes "This category of content includes:
18:40dveditz Images loaded via img or CSS (background-image, border-image, etc) "
18:40dveditzwhich contradicts our page
18:40dveditz(but better fits my mental model)
18:40sheppydveditz: link to that text please?
18:40dveditzshould wait on freddy's report on actual implementation fact
18:41sheppyThank you
18:41freddybhmpf my domain redirects to https.
18:41freddybso does people.m.o, heh.
18:43dveditzyeah, they "fixed" people :-(
18:47freddybfound a plain text stylseheet to load form a news website
18:47freddybthey still deliver fine plain HTTP css :-)
18:55dveditzyou're saying we treat style as "passive" mixed content?
18:55dveditzthere are probably tests in the tree
18:56freddybyeah, I suppose that would be easier to find than test with domains that dont play with me
18:58dveditzno, we should block that:
18:59freddybthat's only for blocking insecure HTTP styles, no?
18:59freddybdoesnt say about loads for passive stuff _through_ stylesheets
19:01dveditzas far as I can tell, when we get to the decision point we don't know what referenced an image. images are passive
19:01dveditzwe don't say "if this came from a stylesheet then we'll block it"
19:01dveditzthat also is my interpretation of the spec
19:02dveditzmaybe the docs were written at an earlier in-between stage?
19:02dveditzsheppy: ^^^^
19:03freddybyeah, that's how I interpret things too.
19:03sheppyOkay. Good. That's what I figured. Glad for the confirmation. I'll fix the page when I get home from the appointment I'm off to.
19:03freddybso maybe rewrite into something less confusing.
19:04freddybsheppy: you can take my suggestion from above. thank you for checking in :)
19:04sheppyIt's what I do. Thanks for taking the time to help, both of you!
23:37ajahi all...noticed an "issue" with firefox' handling of HPKP headers vs. elsewhere
23:37ajaff doesn't allow 0 spaces between HPKP parameters
23:38ajachrome, various security header checkers, e.g. don't seem to care about 0 spaces between parms
23:41ajai like the idea of ff whining about it in console, but think that it maybe ought to be more lenient in parsing to actually make use of the 0-space header
23:45ajai other words, accept ; followed by no spaces: "pin-sha256='';'pin-sha256='';
23:59ajaerm... "pin-sha256='';'pin-sha256=''";
19 Apr 2017
No messages
Last message: 9 days and 16 hours ago