Re: Proposed W3C Charter: Web Application Security (WebAppSec) Working Group

2015-01-31 Thread Martin Thomson
On Fri, Jan 30, 2015 at 10:40 PM, Brian Smith br...@briansmith.org wrote: Anyway, my point isn't to suggest that Mozilla should ask for this item to be removed from the charter. Rather, my point is that this item has some pretty big, non-obvious ramifications (not just related to tracking)

Re: HEADS-UP: Disabling Gecko Media Plugins on older Linux kernels (bug 1120045)

2015-01-31 Thread Eric Rescorla
On Fri, Jan 30, 2015 at 5:51 PM, Bobby Holley bobbyhol...@gmail.com wrote: I think the point here is that we want to free ourselves from needing the chemspill over OpenH264 memory hazards if we find them (since the code is relatively new). Note that with OpenH264 memory issues, we actually

Re: Proposed W3C Charter: Web Application Security (WebAppSec) Working Group

2015-01-31 Thread Eric Rescorla
On Fri, Jan 30, 2015 at 3:15 PM, L. David Baron dba...@dbaron.org wrote: On Friday 2015-01-30 11:14 +0100, Anne van Kesteren wrote: On Fri, Jan 30, 2015 at 7:32 AM, L. David Baron dba...@dbaron.org wrote: I'm particularly interested in review of point (3) in what I've written; I feel

WebRTC leaks IP addresses without approval from user

2015-01-31 Thread Xidorn Quan
These days there is a page demostrates how WebRTC leaks IP addresses without approval from user. [1] And there is a bug about this long ago. [2] There are two concerns of this leakage: 1. It can leak the private local IP address to the web, which is a notable fingerprint. 2. It leaks the real IP

Re: Evaluating the performance of new features

2015-01-31 Thread Fabrice Desré
On Sat, 31 Jan 2015 20:05:46 +0800, Philip Chee wrote: On 31/01/2015 14:03, Vladan Djeric wrote: We do need a performant key-value store implementation. This has been discussed before and various people have come up with proposals (myself included), but no one has had the time focus to see

Re: Evaluating the performance of new features

2015-01-31 Thread Philip Chee
On 31/01/2015 14:03, Vladan Djeric wrote: We do need a performant key-value store implementation. This has been discussed before and various people have come up with proposals (myself included), but no one has had the time focus to see it through to the end :/ I suspect part of the problem