mozilla :: #security

6 Oct 2017
01:43Caspy7Haven't had the time and wakefulness to read through all of this, but figure it needs sharing https://blog.lukaszolejnik.com/privacy-of-web-request-api/
02:20dveditzCaspy7: thanks, saw that
07:10freddybtitle says "web request" but the article is about web payments. hm.
07:10freddybah, no its about interaction of both nvm. *continues reading*
09:35annevkfreddyb: dveditz: ckerschb: https://github.com/whatwg/html/issues/3099 (some push to align more on file URLs and their origins)
09:37freddyboh, that's a welcome change.
09:39annevkI wonder if I should create some whatwg/security group to ping a whole bunch of folks at once
09:39freddybI think ours is the way it is because our "Save As" (complete page) renames and re-adjust resources to be in a subdirectory
09:39annevkfreddyb: and you can only load from that subdirectory?
09:39freddybto make those websites work, I'd assume stuff can't be in distinct origins.
09:40freddybwell, if you go to saved-index.html and all resources are in saved-index-data/ you'd probably want access
09:40freddybif it were distinct origins and the web page happens to rely on things being same-origin, it'd break
09:40annevkWhat I'm asking is whether you can access any adjacent resources in the Downloads/ folder
09:40freddybthat's mostly guessing and I don't know how often that feature is even used.
09:41annevkBecause I thought our file origin model was same-or-subdirectory, which would make downloads vulnerable
09:42freddybyes neighboring files are accessible
09:43freddybtest.html and neighbor.html in Downloads/
09:43freddybin test.html do fetch("neighbor.html").then(x=>x.text()).then(t => console.log(t))
09:43freddybprints content of neighbor.html
09:43annevkeww
09:44annevkI guess we should do telemetry for that "Save As" feature first, but that seems like enough reason to align with Chrome
09:44freddybyep. and I think that's something that needs highlighting in mike's summary. he doesnt discuss neighboring files
09:44freddybyeah, telemetry for Save As would be very useful here.
09:46freddybI've never implemented a telemetry probe
09:46freddybbut the line would be somewhere here http://searchfox.org/mozilla-central/source/toolkit/content/contentAreaUtils.js#390 I suppose
09:46freddyb(without ever having looked at that code before)
09:46annevkfreddyb: how is disabling sensor APIs going btw?
09:48freddybgah
09:48annevkaww
09:48freddybthere are some intermittent oranges that I haven't had the chance to hunt down, but they seem sensor related
09:54freddybhttps://treeherder.mozilla.org/#/jobs?repo=try&revision=b64ee4c31e22c368d6eaca5053778fa70c8940bf&selectedJob=121605069
09:55freddybah, it's actually in Mike's post.
09:56freddybdirectory/other-file.html (yes) and directory/subdirectory/file.html (yes) and parent-directory.html (no)
09:57freddybI'd assume dveditz knows the history behind our implementation decision, which would be important to know before we respond
10:01freddyb*rebases patch*
10:03freddybannevk: please use @mozfreddyb on github
10:06annevkfreddyb: fixed
10:18freddybthanks, annevk
12:35moongazerWill there be a Mozilla winter of security for 2017?
12:36freddybnope
15:08johannhbaku|away: ping when you're not away anymore? :)
22:15SolidSnakepauljt: just a bit curious but why did MWoS get cancelled this year? Probably not enough time/too busy with other projects I imagine with the rush on making 57 perfect I can imagine
22:15SolidSnakeasking in part so I can spread the word if more interested people ask about it :)
22:21dveditzjesup: I said in mail that about:tabs was back. Glandium's extension is actually called "Tab Stats" and WebExtensions can't create about: pages so literal "about:tabs" no longer works. You get a toolbar button to launch it
22:21dveditzbut otherwise functionality seems the same
22:22dveditzSolidSnake: that's a better question for ulfr, don't think pauljt was involved (also it's Sat. in AUS so he's probably not around)
22:22dveditz"he" being paul
22:28SolidSnakedveditz: ah much thanks! I remembered he was in Australia, double checked his timezone as to not ping him at a crazy hour but totally forgot it would be another day there lol
22:49pauljtI'm here and it's on me
23:02pauljtSolidsnake the short answer is that we were short on available mentors
23:04pauljtYour guess was right / push for 57 meant small bandwidth for anything not directly related. I hope to reboot next year. In the meantime, I'm looking to find participation options for my team which are possible with our limited bandwidth.
23:06pauljtTldr if you (or anyone here) is interested in getting experience for in security assurance I'm always happy to point people towards 'good first bugs' - in my team that's less coding and more code review/testing
23:11jesupdveditz: ]o/
23:11jesup \o/
23:39SolidSnakepauljt: Thank you for the candid explanation! :D I figured as much and those are totally fair reasons. I'll pass the word on about 'good first bugs' to all those that are interested since these guys & girls seem very eager to help with security :)
23:47pauljtif any of said folks happen to be in melbourne, tell them to come to this: https://www.meetup.com/platypus-infosec-melbourne/
23:47pauljt(local security meetup that im involved in)
7 Oct 2017
No messages
   
Last message: 10 days and 23 hours ago