[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Development meeting notes march 5
|
From: |
Ruben Rodriguez |
|
Subject: |
Development meeting notes march 5 |
|
Date: |
Fri, 5 Mar 2021 16:55:26 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Icedove/68.10.0 |
* Giorgio sent an email pointing out
https://orenlab.sise.bgu.ac.il/p/PP0, about CSS-based attacks against
our threat model. Then wrote to the chief author, Prof. Yossi Oren, who
agreed to disclose an advance copy of the full paper and their code
repository to allow both JS Shield and NoScript to prepare mitigations
far ahead.
* Giorgio worked on the workers problem. Serviceworkers are an issue for
JSR because you can create off-screen canvas. On both platforms we can
wrap the constructor of workers and then include the original code of
the worker. This is needed to work around CSP. In the case of
serviceworkers it can only be patched on firefox.
We need to patch ServiceWorkerGlobalScope: no way to do it in Chromium
other than maybe
warning the users and let them decide whether taking the risk or cripple
the site, and a quite invasive hack in Firefox, by using
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/filterResponseData.
Comment on the upcoming Dynamic Scripting API for Mainfest V3 in favour
of our cause:
https://bugs.chromium.org/p/chromium/issues/detail?id=1054624#c19
* MIT licensed components in the code have been removed and replaced
with downloadable from npm on build time. This should fix ambiguities on
which files does the GPLv3 overall license apply to. We still need to
check if all dependencies are GPLv3+ compatible, e.g. sinon-chrome which
is licensed ICS, and it also contains some code from stackoverflow (CC).
It is no longer in our repository but it is a build dependency for unit
testing. Ruben will check on this with the licensing team.
* Unit test now run as a command line application.
* Some changes are applied to the node modules during build time
(scripted). The modified node modules are only used for testing, and not
packaged into the extension. They are modified in a way that makes unit
tests print the correct line numbers for errors, but the column numbers
may not match.
* For runtime dependency node modules, the source code is not modified
but the manifest json does get automatically modified.
*Libor and Martin worked on the doxygen doc, finished task for nlnet
project on wrapper documentation. Libor moved and extended the
documentation on how to write a wrapper.
* how to separate the documentation on wrappers that is oriented to
developers from the info for final users. This can be done by adding
another doxygen comment with \file command with a different \ingroup
command, then we can have different versions of the text (one for dev
and one for users). There are some explanatory strings related to
wrapper functionality, but they are in a higher level script, not in the
wrappers. This should be worked on as part of the changes to the UI.
* Giorgio is aiming to have the PR ready before next meeting.
* We need to work on the UI design as it will affect other decisions.
Ruben will try to get the work started for next week's design team meeting.
0x46A70073E4E50D4E.asc
Description: application/pgp-keys
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Development meeting notes march 5,
Ruben Rodriguez <=