Security review of Cross Site XMLHttpRequest

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Security review of Cross Site XMLHttpRequest

Jonas Sicking-2
Hi All,

For Firefox 3 we're planning on adding support for cross site
XMLHttpRequest. To make sure that this new feature will be as safe as
possible we are planning on holding a security review for the feature
this coming wednesday (2/21) at 3pm PST (11pm GMT). We'll go through
both security issues in the feature itself and potential security issues
in the implementation design.

The idea of the meeting is not to solve every concern that we can come
up with, but rather try to come up with an extensive list of possible
security problems that we need to check the final implementation for.

A background document that contains an initial list of possible security
issues is available here:

http://wiki.mozilla.org/Cross_Site_XMLHttpRequest

If you can't make the meeting feel free to add your input to the above
document.

I will publish call in details for the meeting on tuesday.

Best Regards,
Jonas Sicking
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

timeless-3
On Feb 17, 4:25 am, Jonas Sicking <[hidden email]> wrote:
> For Firefox 3 we're planning on adding support for cross site
> XMLHttpRequest. To make sure that this new feature will be as safe as
> possible we are planning on holding a security review for the feature
> this coming wednesday (2/21) at 3pm PST (11pm GMT). We'll go through
> both security issues in the feature itself and potential security issues
> in the implementation design.

You're holding a security review at 1am local time?

great.

didn't we just have a nice discussion in this same newsgroup about the
problems involved in scheduling and the idea of being at least
slightly world aware?

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Robert Accettura
timeless wrote:
> You're holding a security review at 1am local time?
>
> great.
>
> didn't we just have a nice discussion in this same newsgroup about the
> problems involved in scheduling and the idea of being at least
> slightly world aware?
>  
Perhaps the ultimate solution is to have multiple sessions for things
like this (perhaps 2 of them, staged 12hrs apart).  Last I checked it's
typically 1am somewhere in the world, and this is a  pretty global
community.  At least if there were 2 smaller sessions this wouldn't be
so much of an issue.
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
>
>
>  


--
Robert Accettura
[hidden email]


_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

L. David Baron
On Saturday 2007-02-17 14:39 -0500, Robert Accettura wrote:
> Perhaps the ultimate solution is to have multiple sessions for things
> like this (perhaps 2 of them, staged 12hrs apart).  Last I checked it's
> typically 1am somewhere in the world, and this is a  pretty global
> community.  At least if there were 2 smaller sessions this wouldn't be
> so much of an issue.

For something like this having 2 meetings is overkill.

A security review or design review is essentially a wider form of
code review.  For code review, one or two people is usually
sufficient.  For security review and design review we're trying to
reach a wider audience.  Frankly, this is something new, and it's
good we're trying to reach a wider audience earlier in the design
process.  But it doesn't mean that we have to reach everybody.

The advantage of having this kind of thing done in a meeting is that
people can comment on other people's comments or realize new issues
based on issues other people bring up.  But it's also possible to do
that via email, both before or after the meeting.

If you insist that anybody in Mountain View who wants to have a
security review of a new feature do the whole thing twice, at two
inconvenient times, you'll just ensure that nobody does security
reviews, or at least that nobody announces them to the public.
After all, all we technically require is code review and
superreview.  We want to encourage more review when the author
thinks its a good idea; we don't want to make the process of asking
for additional review so painful that nobody ever does it.

If we required every member of the community to review every patch
we'd be going nowhere fast.

-David

--
L. David Baron                                <URL: http://dbaron.org/ >
           Technical Lead, Layout & CSS, Mozilla Corporation

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Gervase Markham
In reply to this post by Robert Accettura
L. David Baron wrote:
> For something like this having 2 meetings is overkill.

Absolutely. But having the one meeting at 3pm PST rather than, say, 10am
PST seems unnecessarily exclusive. Unless there are people in New
Zealand/Japan who are working on this feature who wish to be involved?

> If you insist that anybody in Mountain View who wants to have a
> security review of a new feature do the whole thing twice, at two
> inconvenient times, you'll just ensure that nobody does security
> reviews,

Of course. I don't think that doing it twice is a good idea.

Gerv
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Mike Shaver
In reply to this post by timeless-3
On 17 Feb 2007 11:33:51 -0800, timeless <[hidden email]> wrote:
> On Feb 17, 4:25 am, Jonas Sicking <[hidden email]> wrote:
> > For Firefox 3 we're planning on adding support for cross site
> > XMLHttpRequest. To make sure that this new feature will be as safe as
> > possible we are planning on holding a security review for the feature
> > this coming wednesday (2/21) at 3pm PST (11pm GMT). We'll go through
> > both security issues in the feature itself and potential security issues
> > in the implementation design.
>
> You're holding a security review at 1am local time?

(Aren't you usually on IRC at that time anyway?)

> didn't we just have a nice discussion in this same newsgroup about the
> problems involved in scheduling and the idea of being at least
> slightly world aware?

Yes, indeed, but I don't recall anyone providing a silver bullet.  Can
you put your thoughts in the wiki as a baseline?

Mike
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Mike Connor-4
In reply to this post by Gervase Markham

On 19-Feb-07, at 6:38 AM, Gervase Markham wrote:

> L. David Baron wrote:
>> For something like this having 2 meetings is overkill.
>
> Absolutely. But having the one meeting at 3pm PST rather than, say,  
> 10am PST seems unnecessarily exclusive. Unless there are people in  
> New Zealand/Japan who are working on this feature who wish to be  
> involved?

Sure, but is this the meeting that we throw in that timeslot?  I  
agree with dbaron that its not something we want to put too much  
emphasis or process around, the fact that we're having it with an  
open dial-in is pretty good.  FWIW, given that these can take a  
while, 10 AM would likely overflow into the 11 AM Gecko 1.9 meeting.  
Also, is there a reason to defaulting to accomodating Europe vs. Asia/
NZ?  Are there people in Europe working on this feature?  If the  
answer is "only people in MV are really working on this feature" then  
meeting time should be whatever works for that group of people.

Ultimately, meeting organizers need to start assessing who they  
really want at a meeting, and base scheduling around that.  Depending  
on the impact of the meeting, there might be a case for seeing who  
really wants to be at the meeting, and why (direct impact on work >  
curiousity/desire to be involved, out of brutal necessity), before  
trying to schedule.  Between MozEU and MozJP/MozNZ, many meetings are  
going to be excluding some people, what's going to matter is not  
excluding the wrong people.

-- Mike


_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Gervase Markham
In reply to this post by Gervase Markham
Mike Connor wrote:
> Sure, but is this the meeting that we throw in that timeslot?  I agree
> with dbaron that its not something we want to put too much emphasis or
> process around, the fact that we're having it with an open dial-in is
> pretty good.  FWIW, given that these can take a while, 10 AM would
> likely overflow into the 11 AM Gecko 1.9 meeting.  

Then maybe 10am another day. Or are there 11am meetings every day?

> Also, is there a
> reason to defaulting to accomodating Europe vs. Asia/NZ?  

My understanding is that there are more community members in Europe than
in Asia, which might affect our choice of default. But I agree with your
point below, which is that we need to schedule meetings based on the
timezone of the people interested in attending them.

> Are there
> people in Europe working on this feature?

Well, timeless seems to be interested in taking part.

> If the answer is "only people
> in MV are really working on this feature" then meeting time should be
> whatever works for that group of people.

I must have missed the part where someone enquired about who was
interested in working on the feature, and then worked out what timezone
they were all in. Maybe it happened by private mail.

Or, if it didn't happen: why are we asking these questions after the
meeting has been fixed, rather than before?

> Ultimately, meeting organizers need to start assessing who they really
> want at a meeting, and base scheduling around that.  Depending on the
> impact of the meeting, there might be a case for seeing who really wants
> to be at the meeting, and why (direct impact on work > curiousity/desire
> to be involved, out of brutal necessity), before trying to schedule.  
> Between MozEU and MozJP/MozNZ, many meetings are going to be excluding
> some people, what's going to matter is not excluding the wrong people.

Of course; we can't have a meeting time which is convenient for
everyone. However, it would be nice if it were obvious from the email
when meetings are scheduled that there had been more to the process than
someone putting their head above a cube wall in Mountain View and saying
"3pm Wednesday OK for everyone?".

My mission is not to cause all meetings to be as inconvenient for people
in Mountain View as possible. I just think that our default procedure
for scheduling meetings needs to, obviously and transparently, take
account of the distributed nature of the project. It's part of being
"open by default".

Gerv
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Mike Shaver
On 2/19/07, Gervase Markham <[hidden email]> wrote:
> > If the answer is "only people
> > in MV are really working on this feature" then meeting time should be
> > whatever works for that group of people.
>
> I must have missed the part where someone enquired about who was
> interested in working on the feature

Not the same thing, and the difference is important.  People need to
make themselves known through action and participation; being
"interested in working on the feature" doesn't mean that their
inconvenienced curiosity should trump that of a half-dozen others who
have already invested time and energy in it and are committed to doing
so going forward.

I'm all for accommodating the schedules of time-constrained
_contributors_, and if someone says "I put my concerns in the wiki,
but I'd really like to be on the call so that we can talk about Part X
in more detail -- can we start a little earlier?" then I would expect
that request to be taken pretty seriously.  Our record on this is
pretty good there, and the barely-even-implicit accusation that Jonas
doesn't care about people who aren't in his office is pretty out of
order, IMO.  (Heck, _Jonas_ usually isn't in Jonas' office!)

Let's get concrete here, and try to keep this thread from devolving
into the previous one: who has specific things to discuss at the
meeting or a record of productive contributions in this area, and
won't be able to attend the meeting, and would like to propose another
specific time?

> Of course; we can't have a meeting time which is convenient for
> everyone. However, it would be nice if it were obvious from the email
> when meetings are scheduled that there had been more to the process than
> someone putting their head above a cube wall in Mountain View and saying
> "3pm Wednesday OK for everyone?".

Wouldn't it be nice if the assumption wasn't malice or even incompetence?

Also, you need to get _way_ off the Mountain View horse.

> My mission is not to cause all meetings to be as inconvenient for people
> in Mountain View as possible. I just think that our default procedure
> for scheduling meetings needs to, obviously and transparently, take
> account of the distributed nature of the project. It's part of being
> "open by default".

This is open, and anyone can attend.  If you want to call in and make
a recording to share with other people (along with textual minutes,
perhaps), I'm sure that would be very much appreciated by all the
people out there who are curious about what goes on.

Otherwise, people who have something to contribute to the discussion
*and* can't make the meeting should see if they can't effectively
contribute through adding things to the wiki (and responding to notes
from afterwards).  And if that won't work for some reason, then they
should step up and clearly say why and help work out a solution for
this meeting.

The procedure here was transparent, and provides an opportunity for
people to chime in with specifics if they feel it's important that
they're at the meeting (contra putting their thoughts in the wiki and
listening to Gerv's audio/text archive of it afterwards) and they
can't be accommodated.  Borrowing trouble by dreaming up some moral
imperative that all voice meetings be preceded by a plebiscite doesn't
help solve the specific (imputed) problem of an important voice being
missed at this meeting.

Mike
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

L. David Baron
In reply to this post by Gervase Markham
On Monday 2007-02-19 17:15 +0000, Gervase Markham wrote:
> Mike Connor wrote:
> >If the answer is "only people
> >in MV are really working on this feature" then meeting time should be
> >whatever works for that group of people.
>
> I must have missed the part where someone enquired about who was
> interested in working on the feature, and then worked out what timezone
> they were all in. Maybe it happened by private mail.

It did happen by private email.  This is not particularly different
from determining code reviewers:  I don't need to send email to a
mailing list to discuss who an appropriate code reviewer for the
patch in bug 366865 would be.  But if other people want to add
substantive comments on the bug, they're welcome to do so.

The answer to who's working on the feature is that sicking is
working on it.  He's asked for some extra design review beforehand,
but it's not a huge feature and it sounds like he's comfortable
implementing it himself.  Requiring anybody who's working on a patch
to ask if there are people in the community who would like to watch
over their shoulder while they type their code in is not a required
part of the Mozilla process, nor should it be.

-David

--
L. David Baron                                <URL: http://dbaron.org/ >
           Technical Lead, Layout & CSS, Mozilla Corporation

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Gervase Markham
In reply to this post by Gervase Markham
Mike Shaver wrote:
> Not the same thing, and the difference is important.  People need to
> make themselves known through action and participation; being
> "interested in working on the feature" doesn't mean that their
> inconvenienced curiosity should trump that of a half-dozen others who
> have already invested time and energy in it and are committed to doing
> so going forward.

Sure. I'm not asking for meetings at 7am PST just in case anyone in
Dubai wants to attend. Is 10am (on a particular day where it doesn't
clash with an 11am meeting) really more inconvenient than 3pm? Or are
there now so many meetings that 3pm on a Wednesday is the only free slot?

> I'm all for accommodating the schedules of time-constrained
> _contributors_, and if someone says "I put my concerns in the wiki,
> but I'd really like to be on the call so that we can talk about Part X
> in more detail -- can we start a little earlier?" then I would expect
> that request to be taken pretty seriously.  

I can't think of how to put this without appearing rude - please
understand I'm not trying to be. But that sounds like a procedure where
we set meeting times first, and Europeans or Kiwis have to be "the
awkward one" and try and change them later. I can see how that would be
discouraging for the person who always seems to be the one having to
upset the already-made plans of others.

>> Of course; we can't have a meeting time which is convenient for
>> everyone. However, it would be nice if it were obvious from the email
>> when meetings are scheduled that there had been more to the process than
>> someone putting their head above a cube wall in Mountain View and saying
>> "3pm Wednesday OK for everyone?".
>
> Wouldn't it be nice if the assumption wasn't malice or even incompetence?

It's neither. I might stretch to "thoughtlessness". What else am I
supposed to think when, despite the fact that we discussed it a couple
of weeks ago, meeting times seem to just appear, at inconvenient times
for European contributors, when (at least as far as I see it; maybe I'm
missing something) they could just as easily be more convenient?

> This is open, and anyone can attend.  

At 11pm (GMT) or midnight (European)? Heck, it's the equivalent of 6pm
EST, and if it goes on for a couple of hours as mconnor suggested, it
could really spoil an evening. Do we have no contributors in that
timezone either? I'm sure I know one or two :-)

> If you want to call in and make
> a recording to share with other people (along with textual minutes,
> perhaps), I'm sure that would be very much appreciated by all the
> people out there who are curious about what goes on.

I've pushed that door a few times - maybe not hard enough. I even tried
to work out how to make Asterisk record calls (I don't have the
equipment) but got lost in the documentation.

WIBNI our Asterisk server automatically recorded and pushed to a website
the regular calls, and any others that it gets told to?

> can't be accommodated.  Borrowing trouble by dreaming up some moral
> imperative that all voice meetings be preceded by a plebiscite doesn't
> help solve the specific (imputed) problem of an important voice being
> missed at this meeting.

That's a straw man. All I'm saying is that, if there's no immediate rush
to hold a particular meeting:

- Someone should say, in an appropriate newsgroup: "We need to schedule
a meeting for X; does anyone not in the PST timezone want to attend?"

- The default time for meetings should be 9, 10 or maybe 11am PST, on
the basis that, as far as I know, there are more European and East Coast
contributors than Japanese/Kiwi/Australian ones. (I expect roc will put
in a request for particular meetings he's interested in to be skewed the
other way, and I further expect it would carry a fair bit of weight,
given how respected a project contributor he is.)

If we get particular people continuously saying "I want to attend",
meetings getting scheduled to accommodate them, and then they either
don't attend or don't contribute, let's cross that bridge when we come
to it.

Gerv
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Mike Connor-4

On 19-Feb-07, at 2:16 PM, Gervase Markham wrote:

> Mike Shaver wrote:
>> Not the same thing, and the difference is important.  People need to
>> make themselves known through action and participation; being
>> "interested in working on the feature" doesn't mean that their
>> inconvenienced curiosity should trump that of a half-dozen others who
>> have already invested time and energy in it and are committed to  
>> doing
>> so going forward.
>
> Sure. I'm not asking for meetings at 7am PST just in case anyone in  
> Dubai wants to attend. Is 10am (on a particular day where it  
> doesn't clash with an 11am meeting) really more inconvenient than  
> 3pm? Or are there now so many meetings that 3pm on a Wednesday is  
> the only free slot?

Its a lot more inconvenient for people who tend to come in late and  
work late, especially with the traffic on 101 between 8-10 AM.  I  
know that for myself, vlad and beltzner (and a few others), 10:30 or  
11 AM PST meetings are M-T-W.  But the main point is that I care more  
about accommodating the people already involved than anything else.  
If people aren't already involved in the work being discussed, phone  
meetings are not the place to get involved.

>> I'm all for accommodating the schedules of time-constrained
>> _contributors_, and if someone says "I put my concerns in the wiki,
>> but I'd really like to be on the call so that we can talk about  
>> Part X
>> in more detail -- can we start a little earlier?" then I would expect
>> that request to be taken pretty seriously.
>
> I can't think of how to put this without appearing rude - please  
> understand I'm not trying to be. But that sounds like a procedure  
> where we set meeting times first, and Europeans or Kiwis have to be  
> "the awkward one" and try and change them later. I can see how that  
> would be discouraging for the person who always seems to be the one  
> having to upset the already-made plans of others.

Meeting times should be set based on the key attendees.  Others can  
attend if they like, but its hard enough getting key attendees  
scheduled most of the time.  Introducing a constraint that probably  
doesn't add value to the meeting doesn't make a lot of sense.

>>> Of course; we can't have a meeting time which is convenient for
>>> everyone. However, it would be nice if it were obvious from the  
>>> email
>>> when meetings are scheduled that there had been more to the  
>>> process than
>>> someone putting their head above a cube wall in Mountain View and  
>>> saying
>>> "3pm Wednesday OK for everyone?".
>> Wouldn't it be nice if the assumption wasn't malice or even  
>> incompetence?
>
> It's neither. I might stretch to "thoughtlessness". What else am I  
> supposed to think when, despite the fact that we discussed it a  
> couple of weeks ago, meeting times seem to just appear, at  
> inconvenient times for European contributors, when (at least as far  
> as I see it; maybe I'm missing something) they could just as easily  
> be more convenient?

If European contributors aren't involved in the work already, I don't  
think it matters.  If they were, I'm sure Jonas would have scheduled  
with them in mind.  Same goes for EST contributors.  There's a  
meeting about offline apps that needs to happen, which involves  
bsmedberg, roc, doublec, and others, which will almost certainly not  
be at a Euro-friendly time because of the Kiwis.  But when we  
schedule it, we'll be considering those key attendees when picking a  
time.  I think that's reasonable.

>> can't be accommodated.  Borrowing trouble by dreaming up some moral
>> imperative that all voice meetings be preceded by a plebiscite  
>> doesn't
>> help solve the specific (imputed) problem of an important voice being
>> missed at this meeting.
>
> That's a straw man. All I'm saying is that, if there's no immediate  
> rush to hold a particular meeting:
>
> - Someone should say, in an appropriate newsgroup: "We need to  
> schedule a meeting for X; does anyone not in the PST timezone want  
> to attend?"

I think this is largely useless, unless by "attend" you mean "make a  
meaningful contribution to the meeting"  If people want to call in  
and listen, but don't have anything to add, we should look into  
recordings.  Minutes probably scale better, since most meetings can  
be written up in a way that takes < 5 minutes to read, instead of 60+  
minutes to listen to.

> - The default time for meetings should be 9, 10 or maybe 11am PST,  
> on the basis that, as far as I know, there are more European and  
> East Coast contributors than Japanese/Kiwi/Australian ones. (I  
> expect roc will put in a request for particular meetings he's  
> interested in to be skewed the other way, and I further expect it  
> would carry a fair bit of weight, given how respected a project  
> contributor he is.)

I actually don't like 9 AM PST meetings since that blows up lunch for  
EST, and forces a bunch of non-morning people to deal with traffic  
who are in MV.  10-11 are nice, but 1-2 PM PST work for me just fine  
too.  If you don't have Europeans involved, you have a lot more  
flexibility.

Also, this basically assumes we'll have 1-2 meetings per week, max,  
btw, which isn't a safe assumption at all.  How do we decide which  
meetings get these slots?

> If we get particular people continuously saying "I want to attend",  
> meetings getting scheduled to accommodate them, and then they  
> either don't attend or don't contribute, let's cross that bridge  
> when we come to it.

We opened up the mozilla.org staff meeting to be a project meeting.  
Lots of people call in, but very few (none?) actively participate who  
aren't Moz* employees.  Same thing with the Fx2/Fx3 meetings.  If  
someone was a key contributor and asked us to move the call, we'd try  
to accommodate them if possible, but the people who will actually  
participate in the call are the people who should be considered when  
scheduling meetings.

-- Mike
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Rob Sayre-2
In reply to this post by Gervase Markham
Mike Connor wrote:
>
> Meeting times should be set based on the key attendees.  

Fully agree. I am very sensitive to openness issues, but I think this
entire thread misses the mark. We're not hearing any feedback of the
form "__________ interferes with my contribution of __________". Reading
public minutes, summary emails, and bugzilla should be enough for anyone
not involved at that level.

- Rob
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Gervase Markham
In reply to this post by Gervase Markham
Mike Connor wrote:
> Its a lot more inconvenient for people who tend to come in late and work
> late, especially with the traffic on 101 between 8-10 AM.  I know that
> for myself, vlad and beltzner (and a few others), 10:30 or 11 AM PST
> meetings are M-T-W.

Various Googlings don't reveal an expansion for that acronym :-(

> I think this is largely useless, unless by "attend" you mean "make a
> meaningful contribution to the meeting"  If people want to call in and
> listen, but don't have anything to add, we should look into recordings.  
> Minutes probably scale better, since most meetings can be written up in
> a way that takes < 5 minutes to read, instead of 60+ minutes to listen to.

The unfortunate thing about minutes is that they require someone to take
them. But yes, I agree minutes would be great.

> I actually don't like 9 AM PST meetings since that blows up lunch for
> EST, and forces a bunch of non-morning people to deal with traffic who
> are in MV.  10-11 are nice, but 1-2 PM PST work for me just fine too.  
> If you don't have Europeans involved, you have a lot more flexibility.
>
> Also, this basically assumes we'll have 1-2 meetings per week, max, btw,
> which isn't a safe assumption at all.

You mean in addition to the weekly status, and the Firefox 2 and 3
meetings? Then yes, I agree, it does.

> How do we decide which meetings
> get these slots?

I don't see that many meeting announcements fly by (with the exception
of the PRD fortnight), but maybe I'm not subscribed to the right
newsgroups.

Anyway, I've made my points, and there's clearly a disagreement here.
Can we at least go as far as the following?

Shaver suggests that if a meeting is scheduled for a time people can't
make, they should ask to have it rearranged. Would it be reasonable to
ask people to put an explicit invitation to do so on each meeting
request, so people don't feel they are being the Awkward Squad all the
time? Something like:

"If you have a contribution you want to make to this meeting, but can't
make the above time and feel that it's important you make it in person,
please contact the meeting organiser to discuss moving the meeting."

Gerv
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Michael Lefevre
On 2007-02-20, Gervase Markham <[hidden email]> wrote:
> Mike Connor wrote:
>> Its a lot more inconvenient for people who tend to come in late and work
>> late, especially with the traffic on 101 between 8-10 AM.  I know that
>> for myself, vlad and beltzner (and a few others), 10:30 or 11 AM PST
>> meetings are M-T-W.
>
> Various Googlings don't reveal an expansion for that acronym :-(

Typing it into the search box with spaces suggests a search for
"m t w t f", which finds http://acronyms.thefreedictionary.com/MTWTF as
the first hit.

Michael

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Jonas Sicking-2
In reply to this post by Jonas Sicking-2
Wow, I missed out on this whole fun discussion while snowboarding up in
Tahoe (3-day weekend here in the US).

The chosen time was my bad. I didn't think though it properly before
picking the time slot and by the time I realized my mistake I had
already checked with enough people that I didn't want to change the
time. This is especially comic given that I'm a european myself :)

But lets reschedule this to thursday 11am PST (7pm GMT).

Again, if you can't attend that time but still want to give input,
please update the following wiki page:

http://wiki.mozilla.org/Cross_Site_XMLHttpRequest

Best Regards,
Jonas Sicking

Jonas Sicking wrote:

> Hi All,
>
> For Firefox 3 we're planning on adding support for cross site
> XMLHttpRequest. To make sure that this new feature will be as safe as
> possible we are planning on holding a security review for the feature
> this coming wednesday (2/21) at 3pm PST (11pm GMT). We'll go through
> both security issues in the feature itself and potential security issues
> in the implementation design.
>
> The idea of the meeting is not to solve every concern that we can come
> up with, but rather try to come up with an extensive list of possible
> security problems that we need to check the final implementation for.
>
> A background document that contains an initial list of possible security
> issues is available here:
>
> http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
>
> If you can't make the meeting feel free to add your input to the above
> document.
>
> I will publish call in details for the meeting on tuesday.
>
> Best Regards,
> Jonas Sicking
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Jonas Sicking-2
And here are the meeting details:

     * Thursday, Feb 22st, 11:00 am PST (19:00 UTC)
     * 650-215-1282 x91 Conf# 254 (US/INTL)
     * 1-800-707-2533 (pin 369) Conf# 254 (US)
     * join irc.mozilla.org #securityreview for back channel
     * Further info http://wiki.mozilla.org/Cross_Site_XMLHttpRequest

/ Jonas

Jonas Sicking wrote:

> Wow, I missed out on this whole fun discussion while snowboarding up in
> Tahoe (3-day weekend here in the US).
>
> The chosen time was my bad. I didn't think though it properly before
> picking the time slot and by the time I realized my mistake I had
> already checked with enough people that I didn't want to change the
> time. This is especially comic given that I'm a european myself :)
>
> But lets reschedule this to thursday 11am PST (7pm GMT).
>
> Again, if you can't attend that time but still want to give input,
> please update the following wiki page:
>
> http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
>
> Best Regards,
> Jonas Sicking
>
> Jonas Sicking wrote:
>> Hi All,
>>
>> For Firefox 3 we're planning on adding support for cross site
>> XMLHttpRequest. To make sure that this new feature will be as safe as
>> possible we are planning on holding a security review for the feature
>> this coming wednesday (2/21) at 3pm PST (11pm GMT). We'll go through
>> both security issues in the feature itself and potential security
>> issues in the implementation design.
>>
>> The idea of the meeting is not to solve every concern that we can come
>> up with, but rather try to come up with an extensive list of possible
>> security problems that we need to check the final implementation for.
>>
>> A background document that contains an initial list of possible
>> security issues is available here:
>>
>> http://wiki.mozilla.org/Cross_Site_XMLHttpRequest
>>
>> If you can't make the meeting feel free to add your input to the above
>> document.
>>
>> I will publish call in details for the meeting on tuesday.
>>
>> Best Regards,
>> Jonas Sicking
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Myk Melez
In reply to this post by Gervase Markham
Gervase Markham wrote:
> Would it be reasonable to
> ask people to put an explicit invitation to do so on each meeting
> request, so people don't feel they are being the Awkward Squad all the
> time?

Has this been a problem?  Seems to me folks haven't been reticent to
speak up when times are bad for them (but then, if they were, I guess
we'd not be likely to hear about it), and folks have been cheerfully
accommodated--not made to feel awkward--when they did speak up about
specific meetings (although obviously you're meeting potentially
awkwardness-inducing resistance to the idea of accommodating folks in
advance for meetings in general).

While there's always a danger of inadvertently excluding folks you don't
explicitly plan to include, and some kinds of meetings will be
different, I think mconnor is right in this case (and others like it):

The meeting time should accommodate primarily the folks that the
organizer thinks should attend because of active involvement or specific
knowledge, secondarily folks who express an interest in and aptitude for
the subject to be discussed, and tertiarily the general public.

-myk
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

timeless-3
In reply to this post by Jonas Sicking-2
On Feb 21, 12:47 am, Jonas Sicking <[hidden email]> wrote:
> And here are the meeting details:
>
>      * Thursday, Feb 22st, 11:00 am PST (19:00 UTC)
>      * 650-215-1282 x91 Conf# 254 (US/INTL)
>      * 1-800-707-2533 (pin 369) Conf# 254 (US)
>      * join irc.mozilla.org #securityreview for back channel
>      * Further infohttp://wiki.mozilla.org/Cross_Site_XMLHttpRequest

I'm sorry about the fuss and being unable to make the meeting. as it
happens I was basically on a plane to FOSDEM at the rescheduled time
(I suppose that I should have listed my blackout dates or something, I
do keep a google calendar and it actually does maintain some of this
info, including flights [although I can't handle time zones, so I'm
writing this note from Brussels having missed my flight home :(] ). I
did send sicking notes in the form of a docs.google url. from reading
the url it appears that sicking left a link.

looks like some of my worries were also bullets in the list
(especially the first one).

Based on timestamps, I'm assuming that the meeting notes haven't been
integrated into the wiki url? i'd like to read more about the
discussion.

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Security review of Cross Site XMLHttpRequest

Jonas Sicking-2
timeless wrote:

> On Feb 21, 12:47 am, Jonas Sicking <[hidden email]> wrote:
>> And here are the meeting details:
>>
>>      * Thursday, Feb 22st, 11:00 am PST (19:00 UTC)
>>      * 650-215-1282 x91 Conf# 254 (US/INTL)
>>      * 1-800-707-2533 (pin 369) Conf# 254 (US)
>>      * join irc.mozilla.org #securityreview for back channel
>>      * Further infohttp://wiki.mozilla.org/Cross_Site_XMLHttpRequest
>
> I'm sorry about the fuss and being unable to make the meeting. as it
> happens I was basically on a plane to FOSDEM at the rescheduled time
> (I suppose that I should have listed my blackout dates or something, I
> do keep a google calendar and it actually does maintain some of this
> info, including flights [although I can't handle time zones, so I'm
> writing this note from Brussels having missed my flight home :(] ). I
> did send sicking notes in the form of a docs.google url. from reading
> the url it appears that sicking left a link.

No worries, some other EU people were able to make it thanks to the
rescheduling (of course, some US people we unable to do so due to the
rescheduling, but that's how it goes).

We're never going to be able to find a time slot that works for all
individuals, that's just how it works.

> Based on timestamps, I'm assuming that the meeting notes haven't been
> integrated into the wiki url? i'd like to read more about the
> discussion.

The meeting notes are in there. The times are by default UTC (or
possibly GMT), so you need to log in and set preferences if you want
them for your timezone.

/ Jonas
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
12