Re: Intent to ship: CSP directive worker-src

On Fri, Sep 22, 2017 at 7:24 AM, Anne van Kesteren wrote: > > We plan to ship the CSP directive worker-src within Firefox 58. > > Will we also start enforcing script-src for workers? It seems good > that if you restrict script it actually stops all scripts. > ​Yes. That's what we enforced under

Re: Eiminating nsIDOM* interfaces and brand checks

On 9/4/17 4:51 AM, Anne van Kesteren wrote: Also, do we need this for Promise, Map, Set, etc., or just IDL-defined objects? For the moment, just the latter, I think, in that we have no one who is trying to do if for the former... -Boris ___ dev-pla

Re: Device orientation/motion events privacy issues

>>> We discussed this a bit with Anne on IRC. It seems like this API is a good >>> use case for a permission prompt to the user. Since the API works by >>> registering an event listener, the only realistic option seems to be >>> Permission.request() before registering the event listeners. Unf

Re: Device orientation/motion events privacy issues

On 09/22/2017 11:33 AM, Blair MacIntyre wrote: What's the reason for this? I don't know for sure, but it may be necessary for things like AR/VR to have higher resolution than that. The reason is to limit the frequency of sensor data the web application receives to allow it to guesstimate the c

Re: Null[C]String() has been renamed Void[C]String()

On 9/22/17 1:31 PM, Eric Rahm wrote: The problem is these were never a null string, they're a voided empty string. Sure. In the DOM usage, it's "a string that will convert to JS null when converting to 'DOMString?'", and not anything about the string itself being null. Arguably that API s

Re: Null[C]String() has been renamed Void[C]String()

The problem is these were never a null string, they're a voided empty string. If you do a `str.get()` it gives you a valid pointer, not nullptr. Regardless, while this was primarily a string change, we probably should have pinged a dom peer; I had forgotten the weirdness that is DOMString [1]. Argu

Browser Architecture Newsletter 3

Welcome to the third Browser Architecture Newsletter! Since our last update , we’ve continued to investigate moving away from XBL and started to document what we’re talking about when we

Re: Device orientation/motion events privacy issues

On Fri, Sep 22, 2017 at 4:50 PM, Ehsan Akhgari wrote: > We discussed this a bit with Anne on IRC. It seems like this API is a good > use case for a permission prompt to the user. Since the API works by > registering an event listener, the only realistic option seems to be > Permission.request()

Re: removing "the old way" of signing add-ons

Hi Onno, The work was done in bug 1382749. The first post in this thread outlined what would be removed as a result of doing this - namely the upper right corner of the label in the add-on installation dialog as you mentioned. Note that as of bug 1366243 (shipping in 56), by default Gecko-based pr

Re: Device orientation/motion events privacy issues

On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari wrote: > Hi everyone, > > A couple of weeks ago, this proof of concept attack circled its way around > Twitter: > > https://krausefx.github.io/whats-the-user-doing/ > > This simple web app, once loaded on mobile, with a disturbing degree of > accurac

Re: Device orientation/motion events privacy issues

>> What's the reason for this? I don't know for sure, but it may be necessary >> for things like AR/VR to have higher resolution than that. > The reason is to limit the frequency of sensor data the web application > receives to allow it to guesstimate the changes to the device position to > limi

Re: Device orientation/motion events privacy issues

On 09/22/2017 10:20 AM, James Willcox wrote: On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari mailto:ehsan.akhg...@gmail.com>> wrote: Hi everyone, A couple of weeks ago, this proof of concept attack circled its way around Twitter: https://krausefx.github.io/whats-the-user-doi

Re: Intent to ship: CSP directive worker-src

> On Sep 22, 2017, at 4:24 PM, Anne van Kesteren wrote: > > On Fri, Sep 22, 2017 at 4:18 PM, Christoph Kerschbaumer > wrote: >> We plan to ship the CSP directive worker-src within Firefox 58. > > Will we also start enforcing script-src for workers? It seems good > that if you restrict script i

Re: Intent to ship: CSP directive worker-src

On Fri, Sep 22, 2017 at 4:18 PM, Christoph Kerschbaumer wrote: > We plan to ship the CSP directive worker-src within Firefox 58. Will we also start enforcing script-src for workers? It seems good that if you restrict script it actually stops all scripts. -- https://annevankesteren.nl/

Intent to ship: CSP directive worker-src

Hey Everyone, within CSP2 workers used to be governed by the child-src directive [0]. CSP3 introduces the worker-src directive [1] wich governs Workers, SharedWorkers as well as ServiceWorkers. Please note that the child-src directive has been deprecated within CSP3 in favor of worker-src as we

Re: Device orientation/motion events privacy issues

On 09/22/2017 09:53 AM, Tom Ritter wrote: On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari wrote: * Ensure that we don't leak this information when fingerprinting resisting is turned on for the Tor Browser if we don't already. Tor sets device.sensors.enabled to false, which should disable the

Re: Device orientation/motion events privacy issues

On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari wrote: > * Ensure that we don't leak this information when fingerprinting > resisting is turned on for the Tor Browser if we don't already. Tor sets device.sensors.enabled to false, which should disable these events. (If that's not the case, we'd l

Device orientation/motion events privacy issues

Hi everyone, A couple of weeks ago, this proof of concept attack circled its way around Twitter: https://krausefx.github.io/whats-the-user-doing/ This simple web app, once loaded on mobile, with a disturbing degree of accuracy, can tell what the user is doing with their phone, for example, using

Re: Null[C]String() has been renamed Void[C]String()

On 9/22/17 2:41 AM, Nicholas Nethercote wrote: This probably won't affect most people, because void strings are a niche feature. Not in the DOM. They're used anytime you see "DOMString?" in webidl. http://searchfox.org/mozilla-central/search?q=DOMString%3F&path=webidl shows several hundred h

Heads up: pre-ICU code is being removed in Firefox 58

Hi Team, We're currently working on removing all the code that we had for building Gecko and SpiderMonkey without ICU. ICU is our core internationalization library, and CLDR our core internationalization database for both internal and external (think, ECMA402) use. In Firefox 56 we moved the

Re: removing "the old way" of signing add-ons

Op 27-7-2017 om 07:03 schreef Andrew Swan: > On Wed, Jul 26, 2017 at 2:49 AM, Frank-Rainer Grahl wrote: > >> I need to look at the notifications for SeaMonkey anyway but how could >> Thunderbird implement the standard doorhanger with no location bar? I think >> the dialog should be retained for p

Photon Engineering Newsletter #16

(via https://dolske.wordpress.com/2017/09/22/photon-engineering-newsletter-16/) Time to get your groove on! It’s Photon Newsletter #16 ! But first. Do you remember the 21st night of September ? As of today (