mozilla :: #security

7 Aug 2017
07:33annevkChrome is making the Notifications API secure context only? Should we?
07:43freddybhmm
07:43freddybon the one hand notifications are behind a permission and its hard to say you've given the permission to a specific website when you can't guarantee or establish authenticity on that channel, because of plain-text HTTP
07:44ttaubertinjecting notifications via some http news site you subscribed to sounds fun
07:47freddyb:)
07:47freddybas an aside, ads can already do that. also on HTTPS websites :-)
07:50ttaubertyeah. well that's why we have ublock :)
07:51freddyb:)
10:55annevkfreddyb: I think basically because there is a prompt HTTPS is a requirement (but then that also means it is for <form>, which it should be but can&#39;t)
10:55freddybwell, I think it&#39;s a meaningful line to draw
13:46annevkEmailed dev-platform about it
13:49johannhannevk: Chrome says 90% of users request notifications over https, that sounds like a lot to me, do we have telemetry on this?
13:49* johannh goes looking
13:51johannhexpectedly, I don&#39;t think we do
13:52annevkjohannh: not sure, I was mostly wondering whether anyone would object to doing this in principle
13:52annevkjohannh: I suppose it might take a while with deprecation warnings and such to make everyone comfortable to ship it, although on the other hand it&#39;s a mostly additive feature
13:54johannhI&#39;d say this is actually quite a good driver for HTTPS adoption, since all these news sites can&#39;t request their spam notifications anymore
13:54johannhUnless they adopt HTTPS
14:35annevkYeah, they have been doing that to some extent for Push Notifications already, but this might help
16:32Caspy7Someone points out a privacy issue in Android Firefox&#39;s Private browsing mode https://www.reddit.com/r/firefox/comments/6s38db/privacy_issue_with_onscreen_keyboards_in_private/
16:33Caspy7Something Chrome handles now.
17:33ulfrkeeler, jcj: do you know if microsoft consumes CRLs or has something similar to onecrl for code signing certs?
17:34jcjulfr: I am afraid I don&#39;t know how they handle that sort of thing for code signing. Gerv might.
17:34keelerulfr: they must, but I don&#39;t know the details
18:56ryzokukennews regarding MWoS?
19:22bhavishya_ryzokuken: Yeah I too want to know...and thanks for the reply earlier
19:23ryzokukeno/ bhavishya_
8 Aug 2017
No messages
   
Last message: 14 days and 15 minutes ago