Security/Android/Capability-Matrix
From MozillaWiki
< Security
About
A comparison of security features for various Android mobile browsers
Security Feature Support
| Feature | Firefox for Android | Leading, Neutral, Trailing | Android 2.2.x | Android 2.3.x | Android 3.0.x | Android 3.1.x | Android 3.2.x | Android 4.0.x | Chrome | Notes |
| HTTPOnly cookie attribute | Yes | Leading | No | No | No | No | Yes | Yes | ||
| Secure cookie attribute | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| STS | Yes | Leading | No | No | No | No | No | Yes | ||
| X-Frame-Options | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Origin header 446344 (2011-01-05) | No | Trailing | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Browserscope tests | ||||||||||
| postMessage | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| JSON.parse | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| toStaticHTML 443564 (2008-10-06) | No | Neutral | No | No | No | No | No | No | ||
| X-Content-Type-Options 471020 (2012-06-04) | No | Neutral | No | No | No | No | No | Yes | ||
| Block reflected XSS 528661 (2012-06-04) | No | Neutral | No | No | No | No | No | Yes | ||
| Block location spoofing | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block JSON Hijacking | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block XSS in CSS | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| iFrame sandbox attribute 341604 (2012-06-04) | yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block cross-origin CSS attacks | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Content Security Policy | Yes | Leading | No | No | No | No | No | Yes | ||
| CORS | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block visited link sniffing | Yes | Neutral | No | No | Yes | Yes | Yes | Yes | ||
| Other | ||||||||||
| Do Not Track | Yes | Leading | No | No | No | No | No | No | No | |
| Private browsing 582244 (2012-01-09) | Yes | Neutral | No | No | Yes | Yes | Yes | Yes* | Yes | Prominent as of Firefox 20. [Prior it's there but hard to find. Go "new tab" then hit the menu button] |
| Process Sandboxing 730956 (2012-04-19) | No | Neutral | No | No | No | No | No* | ? | Yes | Based on Alex Russell's comments here: http://www.quora.com/Google-Chrome/Is-the-browser-in-Android-Honeycomb-Chrome-And-if-so-what-version-is-it |
| Master password | Yes | Leading | No | No | No | No | No | No | ||
| CA Pinning 744204 (2012-04-10) | No | Yes | Android - almost certainly not (not even market / play uses pinning). I've been trying to come up with a good test for this today - so far I've failed miserably | |||||||
| Click to Play | Yes | Leading | No | No | No | No | No | No | Android default for plugins is "Always on". There are options for "Always on" "On demand" and "Off" | |
| Javascript controls | No** | Trailing | Yes | Yes | Yes | No | Yes | Yes | Fennec has no option to disable JS in UI. Can change javascript.enabled in about:config. Android JS can be disabled, defaults to enabled | |
| Cookie controls | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | No individual option for clearing, Fennec data clearing is under Clear private data. Android cookie storage is enabled by default. Cookies can be cleared. | |
| Password controls | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | No individual option for clearing. Fennec data clearing is under Clear private data. Passwords are saved by default in android. Stored passwords can be cleared. | |
| Security warnings | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | Fennec has no option for Security warnings, but they are enabled by default. Security warnings are enabled by default on Android | |
| Permissions manager? | Yes? | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | Fennec has option for "Clear site settings" didn't see a more granular option. 4.0.3 Settings->Advanced->Website Settings allows you to clear individual settings/data per website (e.g. localstorage, geolocation) | |
| SNI (Server Name Indication) | Yes | Neutral | No | No | Yes | Yes | Yes | Yes | Yes |
