Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Mon, Oct 02, 2017 at 09:07:09PM -0400, Boris Zbarsky wrote: On 10/2/17 5:35 PM, Kris Maglione wrote: So far it doesn't look like there's any significant difference on any talos test from adding [NeedsCallerPrincipal] to setAttribute/setAttributeNS/Attr.value, OK. That's a minimum bar,

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On 10/2/17 5:35 PM, Kris Maglione wrote: So far it doesn't look like there's any significant difference on any talos test from adding [NeedsCallerPrincipal] to setAttribute/setAttributeNS/Attr.value, OK. That's a minimum bar, obviously, but I would still like us to measure what the

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Mon, Oct 02, 2017 at 11:39:21AM -0700, Kris Maglione wrote: On Mon, Oct 02, 2017 at 11:13:20AM -0400, Boris Zbarsky wrote: Passing along a JSContext would work. We could have something like "null means no scripted caller, otherwise caller's compartment is the part that matters". This

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Sun, Oct 01, 2017 at 12:54:26PM -0700, Luke Crouch wrote: On Friday, September 29, 2017 at 2:32:57 PM UTC-5, Kris Maglione wrote: Security & privacy concerns: This change will allow extensions to inject content into sites which can (and probably will) cause security and privacy issues.

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Mon, Oct 02, 2017 at 11:13:20AM -0400, Boris Zbarsky wrote: Passing along a JSContext would work. We could have something like "null means no scripted caller, otherwise caller's compartment is the part that matters". This relies on no one on the setattr path messing with the compartment,

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Mon, Oct 02, 2017 at 07:50:41AM -0700, Daniel Veditz wrote: On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky wrote: On 9/29/17 3:32 PM, Kris Maglione wrote: For instance, the following should all capture the caller principal for the `src` URL at call time:

Re: test-verify now running as tier 2

This is very cool, Geoff! People have been talking about this idea for a long, so it is great to see it actually running. I'm glad to see chaos mode being tested, too. On 2017-10-02 10:11 AM, Geoffrey Brown wrote: Today the test-verify test task will start running as a tier 2 job. Look for

test-verify now running as tier 2

Today the test-verify test task will start running as a tier 2 job. Look for the "TV" symbol on treeherder, on linux-64 test platforms. TV is intended as an "early warning system" for identifying the introduction of intermittent test failures. When a mochitest, reftest, or xpcshell test file is

--verify option added to mochitest, reftest, xpcshell test harnesses

The mochitest, reftest, and xpcshell test harnesses now support a --verify option. For example: mach mochitest docshell/test/test_anchor_scroll_after_document_open.html --verify In verify mode, the requested test is run multiple times, in various "modes", in hopes of quickly finding any

Intent to ship: (hyperlink auditing)

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=951104 Rationale: There's already a myriad of ways to obtain this data through script. We might as well ship the protocol that both Chrome and Safari ship in the hope that along with sendBeacon() it decreases the usage of the slower alternatives;

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Mon, Oct 2, 2017 at 6:09 PM, Boris Zbarsky wrote: > On 10/2/17 12:03 PM, Daniel Veditz wrote: >> Fair enough. Could we propose improvements to the APIs that would make >> them more usable? For example an object argument to createElement() that >> contained attribute/value

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On 10/2/17 12:03 PM, Daniel Veditz wrote: ​Fair enough. Could we propose improvements to the API​s that would make them more usable? For example an object argument to createElement() that contained attribute/value pairs? This has definitely been proposed before. Worth checking with Anne to

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Mon, Oct 2, 2017 at 8:17 AM, Boris Zbarsky wrote: > The fact is, direct DOM manipulation with no parser involved is really > annoying to use. > ​Fair enough. Could we propose improvements to the API​s that would make them more usable? For example an object argument to

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On 10/2/17 10:50 AM, Daniel Veditz wrote: As long as direct DOM manipulation works, and is easier than overwriting (or removing) the page's CSP, can't we just encourage people to use that mechanism? The fact is, direct DOM manipulation with no parser involved is really annoying to use.

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On 9/30/17 12:19 AM, Kris Maglione wrote: I still haven't settled on the details, but I it will probably have to involve capturing the caller principal from SetAttr hooks. Which would involve either changing that machinery to pass along a JS context when invoked by a scripted caller, or using

Re: Intent to implement and ship: CSP exemptions for content injected by privileged callers

On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky wrote: > On 9/29/17 3:32 PM, Kris Maglione wrote: > >> For instance, the following should all capture the caller principal for >> the `src` URL at call time: >> >> document.write(`http://example.com/favicon.ico;>`); >>

[Firefox Desktop] Issues found: September 25th to September 29th

Hi everyone, Here's the list of new issues found and filed by the Desktop Release QA Team last week, *September 25 - September 29* (week 39). Additional details on the team's priorities last week, as well as the plans for the current week are available at: