canmove, Confirmed users
285
edits
Security/Features/Mixed Content Blocker: Difference between revisions
Jump to navigation
Jump to search
Security/Features/Mixed Content Blocker (view source)
Revision as of 00:06, 9 April 2013
, 9 April 2013no edit summary
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
|Feature stage=Development | |Feature stage=Development | ||
|Feature status=In progress | |Feature status=In progress | ||
|Feature version= | |Feature version=Firefox 23 | ||
|Feature health=OK | |Feature health=OK | ||
}} | }} | ||
{{FeatureTeam | {{FeatureTeam | ||
|Feature product manager= | |Feature product manager=Sid Stamm | ||
|Feature feature manager=Tanvi Vyas | |Feature feature manager=Tanvi Vyas | ||
|Feature lead engineer=Tanvi Vyas | |Feature lead engineer=Tanvi Vyas | ||
| Line 13: | Line 13: | ||
|Feature privacy lead=Sid Stamm | |Feature privacy lead=Sid Stamm | ||
|Feature qa lead=Virgil Dicu | |Feature qa lead=Virgil Dicu | ||
|Feature ux lead= | |Feature ux lead=Larissa Co | ||
|Feature additional members=Brandon Sterne | |Feature additional members=Brandon Sterne | ||
}} | }} | ||
{{FeaturePageBody | {{FeaturePageBody | ||
|Feature | |Feature open issues and risks== UI tweaks = | ||
* https://bugzilla.mozilla.org/show_bug.cgi?id=834828 - Make mixed content blocker more discoverable | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=834830 - Strike through https | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=827595 - UI Redesign Tweaks | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=838402 - Update Site Identity messages | |||
* v2 Technical Information section that shows what is blocked. | |||
= Bugs related to Developer and User Information = | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=837351 - Webconsole + Error Console alerts when Mixed Content is Blocked | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=781018 - Telemetry | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=839238 - Lots of Documentation | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=822373 - Learn More pages for Mixed Content Blocker | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - Distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent | |||
= Edge Cases = | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=418354, https://bugzilla.mozilla.org/show_bug.cgi?id=456957 - Redirects | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=815345 - Session Restore and document.write | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=836352 - Object Subrequests | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=838395 - Relying on HSTS to prevent Mixed Content | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - Mixed content in iframes. | |||
|Feature overview=The Mixed Content Blocker prevents "mixed script" content, defined as mixed content loads of scripts, plugins, and stylesheets, from being loaded into a secure web page. The primary threat model is the active network attacker who modifies the contents of mixed script resources to compromise the integrity of a secure web application. This feature blocks mixed scripts from loading by default, and adds UI that enables a user to reload the page with the insecure content permitted to load. | |||
|Feature non-goals=To prevent the disclosure of cookies and other sensitive data through mixed display content, such as images | |Feature non-goals=To prevent the disclosure of cookies and other sensitive data through mixed display content, such as images, and video. We have a pref, disabled by default, which when enabled would block these loads as well using the same infrastructure. | ||
|Feature functional spec=Blocking of the mixed content loads occurs at the nsIContentPolicy level. When such a block occurs, the content policy fires an event at the document containing the mixed content, which causes the browser to display UI notifying the user that content was blocked, and providing the option to reload the page with the mixed content enabled. | |Feature functional spec=Blocking of the mixed content loads occurs at the nsIContentPolicy level. When such a block occurs, the content policy fires an event at the document containing the mixed content, which causes the browser to display UI notifying the user that content was blocked, and providing the option to reload the page with the mixed content enabled. | ||
The reload-with-insecure-content flag is stored on the session history entry, so navigating back and forward through the browsing history, if a page was allowed to load mixed content, would cause the page to be rendered with mixed content again. If the mixed content page is visited in a new tab, or the navigation chain is otherwise broken, then the page will go back to the default block-mixed-content state. | The reload-with-insecure-content flag is stored on the session history entry, so navigating back and forward through the browsing history, if a page was allowed to load mixed content, would cause the page to be rendered with mixed content again. If the mixed content page is visited in a new tab, or the navigation chain is otherwise broken, then the page will go back to the default block-mixed-content state. | ||
|Feature ux design= | |Feature ux design=http://people.mozilla.com/~lco/ProjectSPF/Mixed_Content/Mixed_Content_Spec/ | ||
|Feature implementation plan=https://bugzilla.mozilla.org/show_bug.cgi?id= | |Feature implementation plan=https://bugzilla.mozilla.org/show_bug.cgi?id=815321 - Master Bug | ||
}} | }} | ||
{{FeatureInfo | {{FeatureInfo | ||