canmove, Confirmed users
1,537
edits
Security/Features: Difference between revisions
Jump to navigation
Jump to search
→Content Security Policy
m (→Projects) |
|||
| Line 78: | Line 78: | ||
'''Design''': In Progress. ETA: Q3 2009 | '''Design''': In Progress. ETA: Q3 2009 | ||
[[Security/CSP|Content Security Policy]] is intended to mitigate a large class of Web Application Vulnerabilities including Cross Site Scripting. | |||
The [[Security/CSP/Spec|CSP spec]] has been iterated upon many times and is approaching a stable configuration. | |||
''Goals'' | ''Goals'' | ||
* | |||
* (Primary) Mitigate Cross Site Scripting (XSS) | |||
* Mitigate Clickjacking | |||
* Mitigate Packet Sniffing Attacks | |||
* Backward Compatibility with sites not employing CSP | |||
'''Discussion''': In Progress. | '''Discussion''': In Progress. | ||
Public discussion of the CSP design and specification has taken place in [http://groups.google.com/group/mozilla.dev.security mozilla.dev.security]. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion. | |||
'''Review and Standardization''': In Progress. ETA: ? | '''Review and Standardization''': In Progress. ETA: ? | ||
'''Prototype''': | Appropriate paths for standardization and external review are being explored. | ||
'''Prototype''': Done. (8/2008) | |||
[http://people.mozilla.org/~bsterne/content-security-policy/download.html Prototype implementation] was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions. | |||
'''Implementation''': In Progress. ETA: | '''Implementation''': In Progress. ETA: Q3 2009 | ||
CSP [[Security/CSP/Spec|as specified]] is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in {{bug|493857}}. | |||
== ForceTLS == | == ForceTLS == | ||