Re: Redirecting http://hg.mozilla.org/ to https://

[Ehsan Akhgari]

I have two extra suggestions for added security benefits:

1. In order to ensure that clients that support CSP will never attempt
to contact the HTTP version of the site for fetching any subresources
that may still point to http:, please make sure to serve the
|Content-Security-Policy: upgrade-insecure-requests| header from HTTP.


2. In order to ensure that clients that support HSTS will never attempt
to contact the HTTP version of the site at all (once they have visited
the https site once), please make sure to serve the
|Strict-Transport-Security: max-age=NNN| header from the HTTPS version
of the site.  This will also improve performance for those clients as a
side benefit by eliminating one roundtrip to the server to get the 301
redirect.


Thanks,
Ehsan

On 2017-01-26 5:17 PM, Gregory Szorc wrote:
> It may be surprising, but hg.mozilla.org  is
> still accepting plain text connections via http://hg.mozilla.org/ and
> isn't redirecting them to https://hg.mozilla.org/.
> 
> On February 1 likely around 0800 PST, all requests to
> http://hg.mozilla.org/ will issue an HTTP 301 Moved Permanently redirect
> to https://hg.mozilla.org/.
> 
> If anything breaks as a result of this change, the general opinion is it
> deserves to break because it isn't using secure communications and is
> possibly a security vulnerability. Therefore, unless this change causes
> widespread carnage, it is unlikely to be rolled back.
> 
> Please note that a lot of 3rd parties query random content on
> hg.mozilla.org . For example, Curl's widespread
> mk-ca-bundle.pl  script for bootstrapping the
> trusted CA bundle queried http://hg.mozilla.org/ until recently [1]. So
> it is likely this change may break random things outside of Mozilla.
> Again, anything not using https://hg.mozilla.org/ should probably be
> treated as a security vulnerability and fixed ASAP.
> 
> For legacy clients only supporting TLS 1.0 (this includes Python 2.6 and
> /usr/bin/python on all versions of OS X - see [2]), hg.mozilla.org
>  still supports [marginally secure compared to
> TLS 1.1+] TLS 1.0 connections and will continue to do so for the
> foreseeable future.
> 
> This change is tracked in bug 450645. Please subscribe to stay in the
> loop regarding future changes, such as removing support for TLS 1.0 and
> not accepting plain text http://hg.mozilla.org/ connections at all.
> 
> Please send comments to bug 450645 or reply to
> dev-version-cont...@lists.mozilla.org
> .
> 
> [1]
> https://github.com/curl/curl/commit/1ad2bdcf110266c33eea70b895cb8c150eeac790
> [2] https://github.com/Homebrew/homebrew-core/issues/3541
> 
> 
> ___
> firefox-dev mailing list
> firefox-...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
> 

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to Implement: adding vector effects non-scaling-size, non-rotation and fixed-position to SVG

[Jet Villegas]

We had a good conversation with Ramin last week in Tokyo. The topic of
interoperability was discussed at length, and we also talked about where
Mozilla's 2017 priorities align with KDDI's.

To summarize, Mozilla is prioritizing the Web-compatibility and Performance
of the interoperable subset of the SVG feature set. That is, we will work
on features that:

A. other browsers support, and
B. authors actually use, or
C. the Firefox browser user interface requires.

Thanks,

--Jet


On Tue, Jan 31, 2017 at 12:11 AM,  wrote:

> Has there been any feedback from Google, Apple or Microsoft?
>
> We've landed stuff preffed off before and had to remove it in the end as
> it's just so much dead weight without any chance of being preffed on.
> Unless there's an intent to implement this soon from other vendors we
> really shouldn't put in any more effort here and we certainly shouldn't
> land any patches.
>
> Robert
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

ESlint Updates

[Mark Banner]

Three quick notes about updates for things we're doing with ESlint and 
Firefox:


1. There's a new help page on devmo with ESLint tips & advice:
   https://developer.mozilla.org/docs/ESLint
2. Jared has been posting about about rules being enabled on his blog:
   https://msujaws.wordpress.com/
3. I have just landed enabling the no-undef
    rule for services/
    on autoland
   (assuming it sticks).

More information on no-undef:

 * I'm planning to enable it for toolkit/ and browser/ soon. This is
   likely to be a phased roll-out.
 * Due to the way our import system works (Cu.import and also xul/html
   files including multiple js files), detecting all the globals has
   been quite complicated. We're getting there, but it isn't perfect
   yet, but we've already been finding bugs and dead code, so the
   benefits are real.
 * The devmo page lists hints for working with no-undef
   . These should
   hopefully get simpler over time.

If there's any questions or comments, please stop by #eslint on irc.

Mark.

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to Implement: adding vector effects non-scaling-size, non-rotation and fixed-position to SVG

[longsonr]

Has there been any feedback from Google, Apple or Microsoft?

We've landed stuff preffed off before and had to remove it in the end as it's 
just so much dead weight without any chance of being preffed on. Unless there's 
an intent to implement this soon from other vendors we really shouldn't put in 
any more effort here and we certainly shouldn't land any patches.

Robert
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform