Closed
Bug 1353148
Opened 7 years ago
Closed 7 years ago
Extend Telemetry Histograms for COOKIE_SCHEME_SECURITY, FAMILY_SAFETY, MIXED_CONTENT_OBJECT_SUBREQUEST, , WEBRTC_GET_USER_MEDIA_SECURE_ORIGIN
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox55 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files, 2 obsolete files)
|
5.29 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
|
4.43 KB,
patch
|
francois
:
review+
|
Details | Diff | Splinter Review |
The following histograms will be expiring on 2017-04-17, and should be removed from the codebase, or have their expiry versions updated: * COOKIE_SCHEME_SECURITY expires in version 55.0a1 (watched by seceng@mozilla.org) - How often are secure cookies set from non-secure origins, and vice-versa? 0=nonsecure/http, 1=nonsecure/https, 2=secure/http, 3=secure/https * FAMILY_SAFETY expires in version 55.0a1 (watched by seceng@mozilla.org) - Status of Family Safety detection and remediation. See nsNSSComponent.cpp. * MIXED_CONTENT_OBJECT_SUBREQUEST expires in version 55.0a1 (watched by seceng@mozilla.org) - How often objects load insecure content on secure pages (counting pages, not objects). 0=pages with no mixed object subrequests, 1=pages with mixed object subrequests * WEBRTC_GET_USER_MEDIA_SECURE_ORIGIN expires in version 55.0a1 (watched by seceng@mozilla.org) - Origins for getUserMedia calls (0=other, 1=HTTPS, 2=file, 3=app, 4=localhost, 5=loop, 6=privileged)
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]
|
|
Assignee | |
Comment 1•7 years ago
|
||
Dan, looking at the histograms that are about to expire, I think we want to renew all of those 4. Agreed? Btw, do I need review from someone else besides you to get those histogram extensions landed?
Attachment #8854136 -
Flags: review?(dveditz)
|
||
Comment 2•7 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1) > Dan, looking at the histograms that are about to expire, I think we want to > renew all of those 4. Agreed? Agreed. > Btw, do I need review from someone else besides you to get those histogram > extensions landed? No, just to add them in the first place (and maybe to change expiration to "never"?) There are several CSP_ probes that are expiring at the same time: CSP_DOCUMENTS_COUNT CSP_UNSAFE_INLINE_DOCUMENTS_COUNT CSP_UNSAFE_EVAL_DOCUMENTS_COUNT CSP_REFERRER_DIRECTIVE (expires in 56) Do you want to extend those as well? I'm not entirely sure what they count. Number of CSP page loads in a session?
|
|
||
Comment 3•7 years ago
|
||
Comment on attachment 8854136 [details] [diff] [review] bug_1353148_histogram_extension.patch Review of attachment 8854136 [details] [diff] [review]: ----------------------------------------------------------------- Is extending these three releases (another 4.5 months) sufficient? While we're doing this let's grab another quarter and just push it all to 60. Either way please also push out COOKIE_LEAVE_SECURE_ALONE to match. r=dveditz ::: toolkit/components/telemetry/Histograms.json @@ -8757,5 @@ > "n_values": 10, > "releaseChannelCollection": "opt-out", > "description": "How often are secure cookies set from non-secure origins, and vice-versa? 0=nonsecure/http, 1=nonsecure/https, 2=secure/http, 3=secure/https" > }, > "COOKIE_LEAVE_SECURE_ALONE": { Please push COOKIE_LEAVE_SECURE_ALONE out to match the others
Attachment #8854136 -
Flags: review?(dveditz) → review+
|
|
Assignee | |
Comment 4•7 years ago
|
||
Good catch Dan, I extended the CSP_* probes as well. I think someone told me that we should not use 'never' but I can't recall who it was. Anyway, I am using "60" now as a tradeoff. Extending thoses probes only takes minimum effort, so I think we can extend it again in FF60 if needed.
Attachment #8854136 -
Attachment is obsolete: true
Attachment #8854534 -
Flags: review?(dveditz)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Ah sorry, for some reason I missed comment 3. Updated everything you requested. Carrying over your r+ (no need for additonal review).
Attachment #8854534 -
Attachment is obsolete: true
Attachment #8854534 -
Flags: review?(dveditz)
Attachment #8854535 -
Flags: review+
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/bfa8d0189e50 Extend Telemetry Histograms for COOKIE_*, FAMILY_SAFETY, MIXED_CONTENT_OBJECT_SUBREQUEST, WEBRTC_GET_USER_MEDIA_SECURE_ORIGIN and CSP_*. r=dveditz
Keywords: checkin-needed
|
|
Assignee | |
Comment 7•7 years ago
|
||
Attachment #8854559 -
Flags: review?(francois)
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8854559 [details] [diff] [review] bug_1353148_followup.patch Review of attachment 8854559 [details] [diff] [review]: ----------------------------------------------------------------- datareview+ for both patches
Attachment #8854559 -
Flags: review?(francois) → review+
|
|
Assignee | |
Comment 9•7 years ago
|
||
(In reply to François Marier [:francois] from comment #8) > datareview+ for both patches Can someone please check in this second patch (the follow up?). I just chatted with francois over IRC and figured that I actually need a datareview and he pointed out that we should use 'seceng-telemetry@mozilla.com' as the email address - thanks! Please note that the first patch already got checked in; see comment 6.
Keywords: checkin-needed
|
||
Comment 10•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3d46d033148b Change email from seceng@ to seceng-telemetry@. r=francois
Keywords: checkin-needed
|
||
Comment 11•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/bfa8d0189e50 https://hg.mozilla.org/mozilla-central/rev/3d46d033148b
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in
before you can comment on or make changes to this bug.
Description
•