Intent to Ship: Show an indicator for insecure HTTP in the URL bar

[Johann Hofmann]

In desktop Firefox 70, we intend to show an icon in the “identity block”
(the left hand side of the URL bar which is used to display security /
privacy information) that marks all sites served over HTTP (as well as FTP
and certificate errors) as insecure.


This change is part of our new simplified security UI[1] that will ship in
Firefox 70 and is a continuation of our previous

efforts

to increase HTTPS adoption and communicate the dangers of insecure HTTP.
Over two years ago we started showing

this indicator for insecure pages with login forms, and announced our
intent to expand showing it for all HTTP pages as HTTPS adoption increases.

Telemetry tells us that almost 80% of pages
 in Firefox are now
loaded over HTTPS. Research has shown

that users don’t notice the lack of a positive indicator

when they are on insecure pages. Both Safari and Chrome have started showing
a "Not Secure" text for all HTTP pages

in their desktop browsers.

The bug where this change will be made is bug 1562881
.

Please let me know if you have any questions or concerns,

Johann

[1] We will soon publish a blog post showing the upcoming changes to our
security UI in 70 and the concept behind it
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Group email address

[Boris Zbarsky]

On 7/16/19 10:01 AM, Mahmood Naderan wrote:

When I post an email to mozilla.dev.platf...@googlegroups.com from my gmail 
account


The right e-mail address for this list is dev-platform@lists.mozilla.org.

-Boris
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Problem with hg and git

[Josh Bowman-Matthews]

Given how old your installed Mercurial version is, I suspect the problem 
with git (fatal: Unable to find remote helper for 'hg') is similar. I 
recommend installing updated Mercurial and git packages and trying again.


On 7/16/19 11:24 AM, Mahmood Naderan wrote:

We attempted to upgrade Mercurial to a modern version (4.8 or newer).
However, you appear to have version 2.6.2 still.


___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Group email address

[Mahmood Naderan]

Hi,
When I post an email to mozilla.dev.platf...@googlegroups.com from my gmail 
account, I get the following failure return message

 Address not found
Your message wasn't delivered to mozilla.dev.platf...@googlegroups.com because 
the address couldn't be found, or is unable to receive mail. 

However, from the google group page, I can post and then I receive a copy in my 
gmail.

Is that normal?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Group email address

[Mahmood Naderan]

Trying now... Thanks.

Regards,
Mahmood




On Tue, Jul 16, 2019 at 6:50 PM Boris Zbarsky  wrote:

> On 7/16/19 10:01 AM, Mahmood Naderan wrote:
> > When I post an email to mozilla.dev.platf...@googlegroups.com from my
> gmail account
>
> The right e-mail address for this list is dev-platform@lists.mozilla.org.
>
> -Boris
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Firefox command seems to be a wrapper

[Mahmood Naderan]

Hi,

I want to analyze firefox by tracing instruction footprints as I am working 
with that. Problem is that when I pass /usr/bin/firefox (or simply firefox) to 
the tracer, it stops logging as soon as the main window opens.

As I looked further, I have noticed that another process is launched and that 
is what I have to analyze. I also have noticed that /usr/bin/firefox isn't 
present in the output of ps command.

# ps aux | grep firefox
mahmood   8358 61.8  0.3 2679204 201348 pts/1  Sl+  12:58   0:03 
/usr/lib64/firefox/firefox
mahmood   8494 20.0  0.1 2351288 69648 pts/1   Sl+  12:58   0:00 
/usr/lib64/firefox/plugin-container -greomni /usr/lib64/firefox/omni.ja 
-appomni /usr/lib64/firefox/browser/omni.ja -appdir /usr/lib64/firefox/browser 
8358 tab
root  8633  0.0  0.0 112664   972 pts/2S+   12:58   0:00 grep 
--color=auto firefox

Ignoring the absence of /usr/bin/firefox, when I run 
/usr/lib64/firefox/plugin-container -greomni /usr/lib64/firefox/omni.ja 
-appomni /usr/lib64/firefox/browser/omni.ja -appdir /usr/lib64/firefox/browser 
8358 tab in the terminal, I get shared library access error.

Overall, firefox command is a wrapper and I am seeking for a way to access the 
main firefox. I also tried

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/firefox

but wasn't successful. Any idea?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Firefox command seems to be a wrapper

[Mahmood Naderan]

OK I will try the source compilation. Please let me know if I have use specific 
options for my purpose or not.
If I build from source, can I do what I want?



> It looks like your Linux distro has set their own wrapper for Firefox.
> That's not something that comes from Firefox itself. So looking at your
> paths, this would suggest /usr/lib64/firefox/firefox is the real,
> non-wrapped, Firefox binary.
> 
> As for whether you'd be losing anything by not using the wrapper, that's
> a question for your distro.
> 
> Mike

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Detecting and mitigating DNS attacks (DNSCatcher project)

[Michael Casadevall]

Hello all,

I am working on a research project called DNSCatcher which is designed
to provide a level of validation and security to standard DNS.
DNSCatcher is designed as a framework to prevent clients from being
redirected to malicious records and detect potential MITN attacks.  A
technical writeup of the project, problem statement, and its modus
operandi are available here:
https://github.com/NCommander/dnscatcher/blob/master/doc/technical_overview.md.

It is my intent to design a system that can be widely adopted to help
understand the health and security of the DNS ecosystem. To that end, I
would like to get feedback from the Mozilla community on this proposal
and help craft it into a component that can easily be deployed.

As of the time of this email, the current proof-of-concept code is
written in Ada. I intend to standardize the protocol and submit it to
the IETF for publication. In the interests of full disclosure, I am
currently seeking funding from the OTF to complete this project,
although I do intend to work on it regardless of whether funding is
secured or not.

For implementation as a browser extension, it appears that Mozilla only
offers the browser.dns API to make lookups, and is extremely limited.
Given the constraints of the BrowserExtension API, it appears  that if I
wish to have full functionality for this project, I will need to deploy
a client daemon on the end user system to provide an HTTP interface on
127.0.0.1. I am open to advice on better mechanisms to achieve this goal.

It is my hope that as this project develops and matures that support for
this extension could eventually make its way into Mozilla’s core
libraries as a native implementation. While I realize we are far from
that point, I welcome any feedback or criticisms of the design of this
project.

Michael
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to Implement: CSS backdrop-filter

[Sean Voisen]

On Thu, Jul 11, 2019 at 8:47 AM Jeff Muizelaar 
wrote:

> I believe there's some precedent for this. I have a vague memory of a
> browser which didn't have working 3d transforms if not run with a GPU.
> Further, I'm not sure that having a broken backdrop filter is that
> much worse an experience than the performance degradation that comes
> from disabling GPU acceleration. That being said, I agree it's not an
> ideal situation.
>

Sites may rely on the filter in ways that could affect legibility of
content. For instance, text on top of content that has a background blur.
Definitely not ideal.


> I think we can probably postpone making a decision about this until we
> have a working implementation on top of WebRender. We'll then be in a
> better spot to evaluate the work needed to make this work with
> non-WebRender vs waiting for WebRender everywhere vs the weirdness of
> partially shipping it as proposed here.
>

I agree with this plan of attack. The WR implementation can help us assess
the level-of-work and timing for the non-WR implementation (vs waiting for
WR to ship everywhere). Which was essentially the plan all along anyway :)
That said, I think the last option (partial shipping) is not really an
option at all.

Sean
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Firefox command seems to be a wrapper

[Mahmood Naderan]

Hi,

I want to analyze firefox by tracing instruction footprints as I am working
with that. Problem is that when I pass /usr/bin/firefox (or simply firefox)
to the tracer, it stops logging as soon as the main window opens.

As I looked further, I have noticed that another process is launched and
that is what I have to analyze. I also have noticed that /usr/bin/firefox
isn't present in the output of ps command.

# ps aux | grep firefox
mahmood   8358 61.8  0.3 2679204 201348 pts/1  Sl+  12:58   0:03
/usr/lib64/firefox/firefox
mahmood   8494 20.0  0.1 2351288 69648 pts/1   Sl+  12:58   0:00
/usr/lib64/firefox/plugin-container -greomni
/usr/lib64/firefox/omni.ja -appomni /usr/lib64/firefox/browser/omni.ja
-appdir /usr/lib64/firefox/browser 8358 tab
root  8633  0.0  0.0 112664   972 pts/2S+   12:58   0:00 grep
--color=auto firefox

Ignoring the absence of /usr/bin/firefox, when I run
/usr/lib64/firefox/plugin-container
-greomni /usr/lib64/firefox/omni.ja -appomni
/usr/lib64/firefox/browser/omni.ja -appdir /usr/lib64/firefox/browser 8358
tab in the terminal, I get shared library access error.

Overall, firefox command is a wrapper and I am seeking for a way to access
the main firefox. I also tried

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib64/firefox

but wasn't successful. Any idea?

Regards,
Mahmood
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Firefox command seems to be a wrapper

[Mahmood Naderan]

>Is just "the main firefox" enough for the tracing you want to do? 

I am looking for way to run "firefox www.google.com" and then see firefox opens 
that shows google web page.



>Note
>that all the website rendering happens in separate processes, not the 
>Firefox UI process. 

Maybe that is true for web pages with multitype contents, e.g. text, flash, 
video, ...
So, if it is possible to launch a firefox command to fetch the text of 
websites, e.g. amazon, then that will be good (not the best I want).

Regards,
Mahmood
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Firefox command seems to be a wrapper

[Mahmood Naderan]

OK I will try the source compilation. Please let me know if I have use
specific options for my purpose or not.

On Tue, Jul 16, 2019, 02:20 Mike Hommey  wrote:

>
> It looks like your Linux distro has set their own wrapper for Firefox.
> That's not something that comes from Firefox itself. So looking at your
> paths, this would suggest /usr/lib64/firefox/firefox is the real,
> non-wrapped, Firefox binary.
>
> As for whether you'd be losing anything by not using the wrapper, that's
> a question for your distro.
>
> Mike
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to ship: Add wildcard to Access-Control-Expose-Headers, Access-Control-Allow-Methods, and Access-Control-Allow-Headers

[Kershaw Jang]

 Hi everyone,

*Summary*:
Allow more wildcards in CORS headers when used without credential.
So, the new syntax for these http headers is:
Access-Control-Expose-Headers = #field-name / wildcard
Access-Control-Allow-Methods  = #method / wildcard
Access-Control-Allow-Headers  = #field-name / wildcard

*Bug*:
https://bugzilla.mozilla.org/show_bug.cgi?id=1309358

*Link to standard*:
https://fetch.spec.whatwg.org/#http-new-header-syntax

*Platform coverage*:
all platforms.

*Estimated or target release*:
Firefox 71.

*Preference behind which this will be implemented*:
No preference.

*DevTools bug*:
No.

*Do other browser engines implement this?*
Yes, both Blink and WebKit support this feature.

*web-platform-tests*:
We already have existing wpt tests for this.

*Is this feature restricted to secure contexts?*
No.

Please note that I already landed this patch in nightly since I was not
aware of that I should send this email first. If anyone has any concerns,
feel free to file another bug to back this out.

Thanks,
Kershaw
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Problem with hg and git

[Mahmood Naderan]

Hi,
I am trying to install firefox on Centos 7 from source. It seems that I am not 
able to clone via git or hg as shown below

[root@compute-0-4 src]# python bootstrap.py --vcs=git

Note on Artifact Mode:

Artifact builds download prebuilt C++ components rather than building
them locally. Artifact builds are faster!

Artifact builds are recommended for people working on Firefox or
Firefox for Android frontends, or the GeckoView Java API. They are unsuitable
for those working on C++ code. For more information see:
https://developer.mozilla.org/en-US/docs/Artifact_builds.

Please choose the version of Firefox you want to build:
  1. Firefox for Desktop Artifact Mode
  2. Firefox for Desktop
  3. GeckoView/Firefox for Android Artifact Mode
  4. GeckoView/Firefox for Android
Your choice: 2
Executing as root: yum groupinstall "Development Tools"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Maybe run: yum groups mark install (see man yum)
No packages in any requested group available to install or update
Executing as root: yum install autoconf213 nodejs which curl-devel 
python2-devel redhat-rpm-config
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Package autoconf213-2.13-31.el7.noarch already installed and latest version
No package nodejs available.
Package which-2.20-7.el7.x86_64 already installed and latest version
Package libcurl-devel-7.29.0-42.el7_4.1.x86_64 already installed and latest 
version
Package python-devel-2.7.5-58.el7.x86_64 already installed and latest version
Package redhat-rpm-config-9.1.0-76.el7.centos.noarch already installed and 
latest version
Nothing to do
Executing as root: yum groupinstall "Development Tools"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Maybe run: yum groups mark install (see man yum)
No packages in any requested group available to install or update
Executing as root: yum install alsa-lib-devel dbus-glib-devel glibc-static 
gtk2-devel libstdc++-static libXt-devel nasm pulseaudio-libs-devel 
wireless-tools-devel yasm gcc-c++ gtk3-devel python-dbus
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Package alsa-lib-devel-1.1.3-3.el7.x86_64 already installed and latest version
Package dbus-glib-devel-0.100-7.el7.x86_64 already installed and latest version
Package glibc-static-2.17-196.el7.x86_64 already installed and latest version
Package gtk2-devel-2.24.31-1.el7.x86_64 already installed and latest version
Package libstdc++-static-4.8.5-16.el7.x86_64 already installed and latest 
version
Package libXt-devel-1.1.5-3.el7.x86_64 already installed and latest version
Package nasm-2.10.07-7.el7.x86_64 already installed and latest version
Package pulseaudio-libs-devel-10.0-3.el7.x86_64 already installed and latest 
version
No package wireless-tools-devel available.
Package yasm-1.1.0-1.el6.rf.x86_64 already installed and latest version
Package gcc-c++-4.8.5-16.el7.x86_64 already installed and latest version
Package gtk3-devel-3.22.10-4.el7.x86_64 already installed and latest version
Package dbus-python-1.1.1-9.el7.x86_64 already installed and latest version
Nothing to do
Your version of Mercurial (2.6.2) is not modern enough.
(Older versions of Mercurial have known security vulnerabilities. Unless you 
are running a patched Mercurial version, you may be vulnerable.
Executing as root: yum update mercurial
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
No packages marked for update

We attempted to upgrade Mercurial to a modern version (4.8 or newer).
However, you appear to have version 2.6.2 still.

It's possible your package manager doesn't support a modern version of
Mercurial. It's also possible Mercurial is not being installed in the search
path for this shell. Try creating a new shell and run this bootstrapper again.

If it continues to fail, consider installing Mercurial by following the
instructions at http://mercurial.selenic.com/.

Your version of Python (2.7.5) is new enough.
Your version of Rust (1.36.0) is new enough.
Rust supports x86_64-unknown-linux-gnu targets.

Mozilla recommends using git-cinnabar to work with mozilla-central.

Would you like to run a few configuration steps to ensure Git is
optimally configured? (Yn): n

If you would like to clone the mozilla-unified Git repository, please
enter the destination path below.

Destination directory for Git clone (leave empty to not clone): /root
Destination directory '/root' is not empty.

Would you like to clone to '/root/mozilla-unified' instead?
  1. Yes
  2. No, let me enter another path
  3. No, stop cloning
Your choice: 1
Cloning Firefox repository to /root/mozilla-unified
Cloning into '/root/mozilla-unified'...
fatal: Unable to find remote helper for 'hg'
Command '['/usr/bin/git', 'clon

Intent to Ship: Show an indicator for insecure HTTP in the URL bar

[Johann Hofmann]

(This was originally posted to both dev-platform and firefox-dev, but seems
to have gotten lost on dev-platform at least for some subscribers, so I'm
resending. Apologies if you've received this twice now.)


In desktop Firefox 70, we intend to show an icon in the “identity block”
(the left hand side of the URL bar which is used to display security /
privacy information) that marks all sites served over HTTP (as well as FTP
and certificate errors) as insecure.


This change is part of our new simplified security UI[1] that will ship in
Firefox 70 and is a continuation of our previous

efforts

to increase HTTPS adoption and communicate the dangers of insecure HTTP.
Over two years ago we started showing

this indicator for insecure pages with login forms, and announced our
intent to expand showing it for all HTTP pages as HTTPS adoption increases.

Telemetry tells us that almost 80% of pages
 in Firefox are now
loaded over HTTPS. Research has shown

that users don’t notice the lack of a positive indicator

when they are on insecure pages. Both Safari and Chrome have started showing
a "Not Secure" text for all HTTP pages

in their desktop browsers.

The bug where this change will be made is bug 1562881
.

Please let me know if you have any questions or concerns,

Johann

[1] We will soon publish a blog post showing the upcoming changes to our
security UI in 70 and the concept behind it
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Problem with hg and git

[Mahmood Naderan]

On Tue, Jul 16, 2019 at 8:25 PM Josh Bowman-Matthews 
wrote:

> Given how old your installed Mercurial version is, I suspect the problem
> with git (fatal: Unable to find remote helper for 'hg') is similar. I
> recommend installing updated Mercurial and git packages and trying again.
>



So, I removed hg and installed the latest git via yum on centos 7.

yum install 
http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm


Still git is unable to fetch the repository. Is it mandatory to have hg?
>From the error, I think it is needed after all.



[root@compute-0-4 ~]# git --version
git version 2.22.0
[root@compute-0-4 src]# python bootstrap.py --vcs=git

Note on Artifact Mode:

Artifact builds download prebuilt C++ components rather than building
them locally. Artifact builds are faster!

Artifact builds are recommended for people working on Firefox or
Firefox for Android frontends, or the GeckoView Java API. They are
unsuitable
for those working on C++ code. For more information see:
https://developer.mozilla.org/en-US/docs/Artifact_builds.

Please choose the version of Firefox you want to build:
  1. Firefox for Desktop Artifact Mode
  2. Firefox for Desktop
  3. GeckoView/Firefox for Android Artifact Mode
  4. GeckoView/Firefox for Android
Your choice: 2
Executing as root: yum groupinstall "Development Tools"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Maybe run: yum groups mark install (see man yum)
No packages in any requested group available to install or update
Executing as root: yum install autoconf213 nodejs which curl-devel
python2-devel redhat-rpm-config
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Package autoconf213-2.13-31.el7.noarch already installed and latest version
No package nodejs available.
Package which-2.20-7.el7.x86_64 already installed and latest version
Package libcurl-devel-7.29.0-42.el7_4.1.x86_64 already installed and latest
version
Package python-devel-2.7.5-58.el7.x86_64 already installed and latest
version
Package redhat-rpm-config-9.1.0-76.el7.centos.noarch already installed and
latest version
Nothing to do
Executing as root: yum groupinstall "Development Tools"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Maybe run: yum groups mark install (see man yum)
No packages in any requested group available to install or update
Executing as root: yum install alsa-lib-devel dbus-glib-devel glibc-static
gtk2-devel libstdc++-static libXt-devel nasm pulseaudio-libs-devel
wireless-tools-devel yasm gcc-c++ gtk3-devel python-dbus
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Package alsa-lib-devel-1.1.3-3.el7.x86_64 already installed and latest
version
Package dbus-glib-devel-0.100-7.el7.x86_64 already installed and latest
version
Package glibc-static-2.17-196.el7.x86_64 already installed and latest
version
Package gtk2-devel-2.24.31-1.el7.x86_64 already installed and latest version
Package libstdc++-static-4.8.5-16.el7.x86_64 already installed and latest
version
Package libXt-devel-1.1.5-3.el7.x86_64 already installed and latest version
Package nasm-2.10.07-7.el7.x86_64 already installed and latest version
Package pulseaudio-libs-devel-10.0-3.el7.x86_64 already installed and
latest version
No package wireless-tools-devel available.
Package yasm-1.1.0-1.el6.rf.x86_64 already installed and latest version
Package gcc-c++-4.8.5-16.el7.x86_64 already installed and latest version
Package gtk3-devel-3.22.10-4.el7.x86_64 already installed and latest version
Package dbus-python-1.1.1-9.el7.x86_64 already installed and latest version
Nothing to do

Could not find Mercurial (hg) in the current shell's path. Try starting a
new
shell and running the bootstrapper again.

You do not have Mercurial installed
Executing as root: yum update mercurial
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * rpmforge: ftp-stud.fht-esslingen.de
Package(s) mercurial available, but not installed.
No packages marked for update

Could not find Mercurial (hg) in the current shell's path. Try starting a
new
shell and running the bootstrapper again.

Your version of Python (2.7.5) is new enough.
Your version of Rust (1.36.0) is new enough.
Rust supports x86_64-unknown-linux-gnu targets.

Mozilla recommends using git-cinnabar to work with mozilla-central.

Would you like to run a few configuration steps to ensure Git is
optimally configured? (Yn): n

If you would like to clone the mozilla-unified Git repository, please
enter the destination path below.

Destination directory for Git clone (leave empty to not clone): /root
Destination directory '/root' is not empty.

Would you like to clone to '/root/mozilla-unified' instead?
  1. Yes
  2. No, let me enter another path
  3. No, stop cloning
Your choice: 1

Re: Intent to Ship: Show an indicator for insecure HTTP in the URL bar

[Dirkjan Ochtman]

On Tue, Jul 16, 2019, 19:52 Johann Hofmann  wrote:

> The bug where this change will be made is bug 1562881
> .


Is there a screenshot showing how it will change? I looked at the bug but
didn't see anything there.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to Ship: Show an indicator for insecure HTTP in the URL bar

[Johann Hofmann]

I tried embedding it in my email but email is apparently complicated, so I
also attached it to the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1562881#c8

Thanks for letting me know :)

On Tue, Jul 16, 2019 at 9:08 PM Dirkjan Ochtman  wrote:

> On Tue, Jul 16, 2019, 19:52 Johann Hofmann  wrote:
>
>> The bug where this change will be made is bug 1562881
>> .
>
>
> Is there a screenshot showing how it will change? I looked at the bug but
> didn't see anything there.
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

"products" key now required for new Telemetry metrics

[Chris Hutten-Czapski]

Hello,

  As part of the project to report GeckoView metrics in Fenix, we have made
the `products` key required for metrics definitions in Histograms.json,
Scalars.yaml, and Events.yaml.

  The products key identifies which "products" (for a hand-wavy definition
of the word 'product') you want your probe to be recorded on and reported
through. If the `products` key for a metric doesn't contain the current
"product", then the data for that metric isn't recorded or reported.

  The full documentation is (or soon will be, if this reaches you before
the code lands either tonight or tomorrow in Nightly 70) available in the
usual places [1] [2] [3], but here's a summary of what you probably need to
know:

  For many cases, the correct value for `products` is `["firefox"]`. This
means Firefox Desktop only. Many metrics are only relevant on Firefox
Desktop, and many decisions are based only on Firefox Desktop data. If the
metric is like that, this will ensure we only collect the data we'll use.
(Mozilla Data Privacy Principle #3 - Limited data) (and we'll save memory
on every other product)

  In other cases the correct value will be the broadest one of `["firefox",
"fennec", "geckoview"]`. This will ensure that the metric is reported by
Firefox Desktop, Firefox for Android, and GeckoView-based products that use
GeckoViewTelemetryController.jsm to submit telemetry (like Focus. Don't
worry, it's okay if you don't know what this stuff is.). This is the full
list of supported products, and is the value that every currently-present
Telemetry metric has been given. This is often too broad, but without
performing a full survey we were unable to scope it more narrowly.

(( If you ever wish to narrow the population reporting your probe (by,
e.g., removing some products from the `products` key), you do not need to
seek Data Collection Review. If you wish to broaden the population (by,
e.g., adding products to the `products` key), you will require Data
Collection Review. ))

  Soon we will be adding a new acceptable value for the "products" key
(currently named "geckoview_streaming") which will enable GeckoView to pass
some Telemetry out to Glean to be reported by products like Fenix. Expect
more on that in the near future.

  If you have any questions, please do not hesitate to reach out. We can be
found on email, IRC#telemetry, and Slack#fx-metrics.

Your Friendly Neighbourhood Firefox Telemetry Team
( :chutten, :Dexter, :janerik, :gfritzsche, and :travis_ )

[1]:
https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/collection/histograms.html#products
[2]:
https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/collection/scalars.html#required-fields
[3]:
https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/collection/events.html#the-yaml-definition-file
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Firefox command seems to be a wrapper

[Mike Hommey]

On Tue, Jul 16, 2019 at 06:44:36AM +0430, Mahmood Naderan wrote:
> OK I will try the source compilation. Please let me know if I have use
> specific options for my purpose or not.

I'm not sure how you jumped from my response to building from source, but
what I'm saying is that you probably can run /usr/lib64/firefox/firefox.

Mike
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Detecting and mitigating DNS attacks (DNSCatcher project)

[Nils Ohlmeier]

Hi Michael,

> On 10Jul, 2019, at 13:53, Michael Casadevall  wrote:
> 
> Hello all,
> 
> I am working on a research project called DNSCatcher which is designed
> to provide a level of validation and security to standard DNS.
> DNSCatcher is designed as a framework to prevent clients from being
> redirected to malicious records and detect potential MITN attacks.  A
> technical writeup of the project, problem statement, and its modus
> operandi are available here:
> https://github.com/NCommander/dnscatcher/blob/master/doc/technical_overview.md.

I have to admit that I have not read your full description.
But I have not found any reference to the RIPE Atlas project 
https://atlas.ripe.net/ 
I think it would be worth checking what can be achieved with RIPE Atlas and 
what is missing from that project in comparison to yours.

Best regards
  Nils Ohlmeier

> It is my intent to design a system that can be widely adopted to help
> understand the health and security of the DNS ecosystem. To that end, I
> would like to get feedback from the Mozilla community on this proposal
> and help craft it into a component that can easily be deployed.
> 
> As of the time of this email, the current proof-of-concept code is
> written in Ada. I intend to standardize the protocol and submit it to
> the IETF for publication. In the interests of full disclosure, I am
> currently seeking funding from the OTF to complete this project,
> although I do intend to work on it regardless of whether funding is
> secured or not.
> 
> For implementation as a browser extension, it appears that Mozilla only
> offers the browser.dns API to make lookups, and is extremely limited.
> Given the constraints of the BrowserExtension API, it appears  that if I
> wish to have full functionality for this project, I will need to deploy
> a client daemon on the end user system to provide an HTTP interface on
> 127.0.0.1. I am open to advice on better mechanisms to achieve this goal.
> 
> It is my hope that as this project develops and matures that support for
> this extension could eventually make its way into Mozilla’s core
> libraries as a native implementation. While I realize we are far from
> that point, I welcome any feedback or criticisms of the design of this
> project.
> 
> Michael
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to Ship: Show an indicator for insecure HTTP in the URL bar

[Dirkjan Ochtman]

On Tue, Jul 16, 2019, 20:12 Johann Hofmann  wrote:

> I tried embedding it in my email but email is apparently complicated, so I
> also attached it to the bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1562881#c8
>
> Thanks for letting me know :)
>

Thanks!

>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform