Re: Intent to implement and ship: same-site cookies

2018-04-20 Thread Francois Marier
On 09/04/18 07:25 PM, Francois Marier wrote: > We intend to ship same-site cookies in Firefox 61. This has now been uplifted and will be shipping in Firefox 60. Status can be tracked on https://wiki.mozilla.org/Security/SameSiteCookies. Franc

Intent to implement and ship: same-site cookies

2018-04-09 Thread Francois Marier
We intend to ship same-site cookies in Firefox 61. This new cookie attribute allows sites to prevent cross-site requests from using those cookies which provides a mechanism for web sites to protect themselves against Cross-Site Request Forgery (CSRF) attacks. Specification (cookies): https://tools

Intent to ship version 4 of the Safe Browsing protocol

2017-08-15 Thread Francois Marier
After a year's worth of development, bug fixes, and integration testing, we are now ready to enable the latest version [1] of the Safe Browsing API in Firefox 56, two releases ahead of schedule and only a few weeks behind Chrome. We do not expect any user-visible changes, but will be running an ex

Intent to implement version 4 of the Safe Browsing protocol

2016-08-02 Thread Francois Marier
The Safe Browsing service we rely on for protection against malware and deceptive sites is migrating to a new version of the Safe Browsing protocol. Version 4 will enable Google to quickly send the most relevant list entries to clients (based on platform and locale for example) as well as deal with

Re: Intent to ship: Treat cookies set over non-secure HTTP as session cookies

2016-04-14 Thread Francois Marier
On 15/04/16 03:58 AM, Tanvi Vyas wrote: > So how about a preference that treats all cookies set in a third party > context as session cookies. We could restrict this to HTTP, or even > apply it to third party HTTPS cookies. We seem to have this already: network.cookie.thirdparty.sessionOnly Fran

Intent to ship: Subresource Integrity (SRI)

2015-09-15 Thread Francois Marier
On 30/12/14 09:40 PM, Francois Marier wrote: > Summary: Allow web authors to add integrity checks to sub-resources. > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096 > > Spec: http://www.w3.org/TR/SRI/ > > Platforms: all > > Estimated or target release:

Re: AdBlock Plus as a ServiceWorker?

2015-05-20 Thread Francois Marier
On 21/05/15 07:01, David Rajchenbach-Teller wrote: > So is there something that ABP developers can do at the moment to > reimplement their code without CPOWs & co? And is it documented anywhere > on MDN? There's nothing like that at the moment, but I'd be happy to work with a blocklist add-on deve

Re: AdBlock Plus as a ServiceWorker?

2015-05-08 Thread Francois Marier
On 08/05/15 19:42, Frederik Braun wrote: > I thought that the APIs we brought into Firefox by implementing Tracking > Protection were supposed to provide a better (canonical?) way to hook > your own blocker into Firefox. Yes, as long as they're willing to stand up a server [1] that serves their l

Re: Can we make try builds default to a different profile than Nightly/Aurora/Beta/Release builds?

2015-04-08 Thread Francois Marier
On 09/04/15 15:39, Seth Fowler wrote: > Sounds like yet another reason to build support and UI for this stuff > directly into the browser. On that note, Bram from UX has some ideas about what it could look like: https://wiki.mozilla.org/Security/Contextual_Identity_Project/User_Profiles Franco

Re: Dropping support for MSVC2012

2015-01-03 Thread Francois Marier
On 04/01/15 19:28, Philip Chee wrote: > To me, the default answer to whether we should keep supporting MinGW > is "no", merely because it will require time and effort that will not > directly benefit our users as we do not use that compiler to release > Firefox. That is, without someone coming up

Re: Intent to implement: Sub-resource Integrity (SRI)

2014-12-31 Thread Francois Marier
On 31/12/14 21:42, Ms2ger wrote: > What's the testing story? Do we pass the web-platform tests > ()? We do, except for one which relies on ambiguity in the spec and is currently being discussed [1] in the working group. I

Re: Intent to implement: Sub-resource Integrity (SRI)

2014-12-31 Thread Francois Marier
On 31/12/14 19:09, L. David Baron wrote: >> Spec: http://www.w3.org/TR/SRI/ > > The TR draft of that spec looks a bit out-of-date. Will you be > referring to the editor's draft, and tracking the progress in the > working group, or be in touch with others who are? Yes, I'm working off of the edit

Re: Intent to implement: Sub-resource Integrity (SRI)

2014-12-31 Thread Francois Marier
On 31/12/14 19:00, Johnny Stenback wrote: > LGTM, what's the status wrt other browsers supporting this? Chromium has implemented the same subset of the spec as us (which is roughly what Level 1 is shaping up to be). It has already landed in Canary, not sure when they plan on pushing it to the rele

Intent to implement: Sub-resource Integrity (SRI)

2014-12-30 Thread Francois Marier
Summary: Allow web authors to add integrity checks to sub-resources. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=992096 Spec: http://www.w3.org/TR/SRI/ Platforms: all Estimated or target release: Q1 of 2015 Preference behind which this will be implemented: security.subResourceIntegrity.e