Site security state store

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Status

Site security state store
Stage Draft
Status `
Release target `
Health OK
Status note `

Team

Product manager `
Directly Responsible Individual `
Lead engineer `
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members `

Open issues/risks

`

Stage 1: Definition

1. Feature overview

There have been several HTTP extensions that handle security attributes such as HSTS and ca-pinning. These attributes are site initiated and thus should have different semantics than pinning. Currently this data lives on the site permissions with three main problems:

  1. access r/w is not thread safe
  2. is not aware of private browsing
  3. Does not allow for storage of arbitrary data.

2. Users & use cases

  • HSTS Storage
  • CA Pinning storage

3. Dependencies

`

4. Requirements

  1. Thread safe
  2. Private browsing aware
  3. Store for JSON data
  4. Expiration for data
  5. indexed on per site
  6. Allowing tree queries, but limit them to eTLD+1
  7. Scriptable access.
  8. Atomic quering and insertion.
  9. have a simple way to embed defaults in the source (for new profiles or db corruption)

Nice to have:

  • Optimized for minimal impact to page loads. Most pages would not have any of this.
  • Optimize the call pattern so we can minimize the number of method calls (i.e. callers should be able to check at the beginning of a page load and then not again, rather than one call per resource).
  • Incorporate cert exceptions if possible.

To think about:

  • If we still care about CAPS, replace it with this.

Non-goals

  • While the data in this storage shall not be directly accessible to sites we will not commit to prevent tracking via this data set.

Stage 2: Design

5. Functional specification

`

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

`


Feature details

Priority Unprioritized
Rank 999
Theme / Goal `
Roadmap `
Secondary roadmap `
Feature list `
Project `
Engineering team `

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `