[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Development meeting notes 14/Jun/2021
|
From: |
Ruben |
|
Subject: |
Development meeting notes 14/Jun/2021 |
|
Date: |
Mon, 14 Jun 2021 17:23:35 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.8.1 |
* Ebay was using some security scripts to detect open local ports, which
is something that JSR had implemented. It was nice to see it being
useful to deploy in the field with this use case.
* All changes from Giorgio sent to pagure are currently merged. Giorgio
may have further changes pending upload, related to prevention of use of
webworkers. Giorgio has been working on re-rwiting the wrappers to make
them work with webworkers. There is also a patch to fix infinite
recursion problems in some cases with popups. Merge requests for this
changes will be ready this week.
* Giorgio managed to add all the license boilerplate for compatibility
with reuse. Ruben will be checking that we do follow all FSF recommended
best practices, and that any changes to that regard can be added through
an automated tool (perhaps the reuse check tool can do it). We can use a
REUSE template which implements FSF's recommended style,
https://reuse.readthedocs.io/en/stable/usage.html
* Libor's team worked on implementing the fingerprinting protection from
Brave. They work by altering the api returns used for fingerprinting,
and they can be randomized per-session. This is a protection that would
fit for level 2 of JSR. This is done by adding a number of new wrappers,
and some changes to existing one like canvas. A few of the ideas
implemented on Brave are hard to re-implement with JS, like the list of
fonts available.
* In brave these functions are turned on for all users and may be
possible to turn off for some sites.
* Georgio asks, since the original work is in C and the new
implementation is a rewrite into JS, there should be no need to use the
mozilla license instead of GPL. Libor will provide sample source files
for Ruben to pass to Licensing to confirm this.
* Libor may contact the brave people about their implementation
method, they used a session key and domain key, to be able to be random
but stay across sessions. This key system was ported to our system, and
may need to be further reviewed. Giorgio looked a bit into this
functionality, thinks that the best way to implement this is with domain
keys in memory, and a different set to be used in incognito. Libor
agrees, the session key should not be needed, the worry is to have a
large list of keys of domains
* Right now each level needs to specify everything, so it cannot be
customized. Every time that a new wrapper is added we need to define
them in the level definition. We want to prevent the case in where an
update is done, that adds new wrappers changing the behavior of a level,
taking the user by surprise. Libor is thinking of working on the backend
of the extension to allow for a way to customize the levels by the user.
One possibility is to set this in the configuration page for a level, or
we can wait to a more concrete proposal for the UI changes.
* Libor replied to recommendation for UI changes commented by Ruben.
--
Ruben Rodriguez | Chief Technology Officer, Free Software Foundation
GPG Key: 05EF 1D2F FE61 747D 1FC8 27C3 7FAC 7D26 472F 4409
https://fsf.org | https://gnu.org
- Development meeting notes 14/Jun/2021,
Ruben <=