Security/B2G/PermissionReview/Hostedrisks: Difference between revisions

Jump to navigation Jump to search

Security/B2G/PermissionReview/Hostedrisks (view source)

Revision as of 09:27, 25 March 2015

7 bytes added ,  25 March 2015
→‎Requirements
(adding confidentiality/code integrity/https bits)
Line 10: Line 10:
* Prevent loading unsigned content on the gaia app origin or treat app as a separate content from the http(s) gaia location
* Prevent loading unsigned content on the gaia app origin or treat app as a separate content from the http(s) gaia location
* Maintain the strong CSP policy and reduce exceptions over time
* Maintain the strong CSP policy and reduce exceptions over time
* Maintain the single-page web-app architecture (i.e. back-end less)
* Maintain all the application logic in the client side (i.e. back-end less)
* Create an auditable approach to DOM XSS prevention (e.g. discouraging certain code patterns)
* Create an auditable approach to DOM XSS prevention (e.g. discouraging certain code patterns)
* Use CSRF prevention mechanisms like X-Frame-Options and CSP frame-ancestors
* Use CSRF prevention mechanisms like X-Frame-Options and CSP frame-ancestors
* Discourage code patterns that simply act on URL fragments (so-called CS#RF)
* Discourage code patterns that simply act on URL fragments (so-called CS#RF)
* Apply [https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility modern HTTPS] web hosting practices, with forward secrecy and HTTPS Public Key Pinning (HPKP).
* Apply [https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility modern HTTPS] web hosting practices, with forward secrecy and HTTPS Public Key Pinning (HPKP).


== Analysis & Rationale ==
== Analysis & Rationale ==
Ferjm
Confirmed users
483

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1064284"

Navigation menu