canmove, Confirmed users
1,537
edits
Security/Features: Difference between revisions
Jump to navigation
Jump to search
→Content Security Policy
| Line 106: | Line 106: | ||
* Mitigate Packet Sniffing Attacks | * Mitigate Packet Sniffing Attacks | ||
* Backward Compatibility with sites not employing CSP | * Backward Compatibility with sites not employing CSP | ||
Tasks: | |||
* {{done|create specification}} [[Security/CSP/Spec]] | |||
* {{ok|write up example use cases}} | |||
'''Discussion''': In Progress. | '''Discussion''': In Progress. | ||
Public discussion of the CSP design and specification has taken place in [http://groups.google.com/group/mozilla.dev.security mozilla.dev.security]. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion. | Public discussion of the CSP design and specification has taken place in [http://groups.google.com/group/mozilla.dev.security mozilla.dev.security]. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion. | ||
Tasks: | |||
* {{done|discuss [[Security/CSP/Spec]] spec in public forums}} | |||
* {{done|get feedback (rinse, repeat) until comments are trivial}} | |||
* {{ok|come to decision about whether or not to support meta tags}} | |||
* {{ok|come to decision about whether or not to support multiple HTTP headers}} | |||
'''Review and Standardization''': In Progress. ETA: ? | '''Review and Standardization''': In Progress. ETA: ? | ||
Appropriate paths for standardization and external review are being explored. | Appropriate paths for standardization and external review are being explored. | ||
Tasks: | |||
* {{ok|find a standards body that should review CSP}} | |||
* {{ok|submit formal spec for review/feedback}} | |||
'''Prototype''': Done. (8/2008) | '''Prototype''': Done. (8/2008) | ||
[http://people.mozilla.org/~bsterne/content-security-policy/download.html Prototype implementation] was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions. | [http://people.mozilla.org/~bsterne/content-security-policy/download.html Prototype implementation] was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions. | ||
Tasks: | |||
* {{done|create add-on that enforces policies (minus base restrictions)}} | |||
| Line 123: | Line 141: | ||
CSP [[Security/CSP/Spec|as specified]] is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in {{bug|493857}}. | CSP [[Security/CSP/Spec|as specified]] is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in {{bug|493857}}. | ||
Tasks: | |||
* {{done|make patch to parse CSP policy in headers}} | |||
* {{done|make patch to enforce CSP policy directives}} | |||
* {{done|make patch to report policy violations}} | |||
* {{ok|make patch to implement base restriction enforcements}} | |||
* {{ok|land patch on trunk}} | |||
* {{ok|create document explaining how to write a good policy}} | |||
* {{ok|create document explaining how to convert a site to support CSP}} | |||
* {{ok|create server-based test suite (for other UAs who implement CSP)}} | |||
== ForceTLS == | == ForceTLS == | ||