Security/Android/Capability-Matrix

From MozillaWiki
Jump to navigation Jump to search

About

A comparison of security features for various Android mobile browsers

Security Feature Support

Feature Firefox for Android Leading, Neutral, Trailing Android 2.2.x Android 2.3.x Android 3.0.x Android 3.1.x Android 3.2.x Android 4.0.x Chrome Notes
HTTPOnly cookie attribute Yes Leading No No No No Yes Yes
Secure cookie attribute Yes Neutral Yes Yes Yes Yes Yes Yes Yes
STS Yes Leading No No No No No Yes
X-Frame-Options Yes Neutral Yes Yes Yes Yes Yes Yes
Origin header 446344 (2011-01-05) No Trailing Yes Yes Yes Yes Yes Yes
Browserscope tests
postMessage Yes Neutral Yes Yes Yes Yes Yes Yes
JSON.parse Yes Neutral Yes Yes Yes Yes Yes Yes
toStaticHTML 443564 (2008-10-06) No Neutral No No No No No No
X-Content-Type-Options 471020 (2012-06-04) No Neutral No No No No No Yes
Block reflected XSS 528661 (2012-06-04) No Neutral No No No No No Yes
Block location spoofing Yes Neutral Yes Yes Yes Yes Yes Yes
Block JSON Hijacking Yes Neutral Yes Yes Yes Yes Yes Yes
Block XSS in CSS Yes Neutral Yes Yes Yes Yes Yes Yes
iFrame sandbox attribute 341604 (2012-06-04) yes Neutral Yes Yes Yes Yes Yes Yes
Block cross-origin CSS attacks Yes Neutral Yes Yes Yes Yes Yes Yes
Content Security Policy Yes Leading No No No No No Yes
CORS Yes Neutral Yes Yes Yes Yes Yes Yes
Block visited link sniffing Yes Neutral No No Yes Yes Yes Yes
Other
Do Not Track Yes Leading No No No No No No No
Private browsing 582244 (2012-01-09) Yes Neutral No No Yes Yes Yes Yes* Yes Prominent as of Firefox 20. [Prior it's there but hard to find. Go "new tab" then hit the menu button]
Process Sandboxing 730956 (2012-04-19) No Neutral No No No No No* ? Yes Based on Alex Russell's comments here: http://www.quora.com/Google-Chrome/Is-the-browser-in-Android-Honeycomb-Chrome-And-if-so-what-version-is-it
Master password Yes Leading No No No No No No
CA Pinning 744204 (2012-04-10) No Yes Android - almost certainly not (not even market / play uses pinning). I've been trying to come up with a good test for this today - so far I've failed miserably
Click to Play Yes Leading No No No No No No Android default for plugins is "Always on". There are options for "Always on" "On demand" and "Off"
Javascript controls No** Trailing Yes Yes Yes No Yes Yes Fennec has no option to disable JS in UI. Can change javascript.enabled in about:config. Android JS can be disabled, defaults to enabled
Cookie controls Yes Neutral Yes Yes Yes Yes Yes Yes No individual option for clearing, Fennec data clearing is under Clear private data. Android cookie storage is enabled by default. Cookies can be cleared.
Password controls Yes Neutral Yes Yes Yes Yes Yes Yes No individual option for clearing. Fennec data clearing is under Clear private data. Passwords are saved by default in android. Stored passwords can be cleared.
Security warnings Yes Neutral Yes Yes Yes Yes Yes Yes Fennec has no option for Security warnings, but they are enabled by default. Security warnings are enabled by default on Android
Permissions manager? Yes? Neutral Yes Yes Yes Yes Yes Yes Fennec has option for "Clear site settings" didn't see a more granular option. 4.0.3 Settings->Advanced->Website Settings allows you to clear individual settings/data per website (e.g. localstorage, geolocation)
SNI (Server Name Indication) Yes Neutral No No Yes Yes Yes Yes Yes
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Android/Capability-Matrix&oldid=642916"