Security/Android/Capability-Matrix: Difference between revisions
< Security
Jump to navigation
Jump to search
(Created page with "= About = A comparison of security features for various Android mobile browsers = Capability Matrix =") |
|||
| (4 intermediate revisions by one other user not shown) | |||
| Line 2: | Line 2: | ||
A comparison of security features for various Android mobile browsers | A comparison of security features for various Android mobile browsers | ||
= | = Security Feature Support = | ||
{| class="wikitable sortable" border="1" | |||
| align="center" style="background:#f0f0f0;"|'''Feature''' | |||
| align="center" style="background:#f0f0f0;"|'''Firefox for Android''' | |||
| align="center" style="background:#f0f0f0;"|'''Leading, Neutral, Trailing''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 2.2.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 2.3.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 3.0.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 3.1.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 3.2.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 4.0.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Chrome''' | |||
| align="center" style="background:#f0f0f0;"|'''Notes''' | |||
|- | |||
| HTTPOnly cookie attribute||Yes||Leading||No||No||No||No|| ||Yes||Yes|| | |||
|- | |||
| Secure cookie attribute||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes||Yes|| | |||
|- | |||
| STS||Yes||Leading||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| X-Frame-Options||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Origin header 446344 (2011-01-05) ||No||Trailing||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Browserscope tests | |||
|- | |||
| postMessage||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| JSON.parse||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| toStaticHTML 443564 (2008-10-06) ||No||Neutral||No||No||No||No|| ||No||No|| | |||
|- | |||
| X-Content-Type-Options 471020 (2012-06-04) ||No||Neutral||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| Block reflected XSS 528661 (2012-06-04) ||No||Neutral||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| Block location spoofing||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block JSON Hijacking||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block XSS in CSS||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| iFrame sandbox attribute 341604 (2012-06-04) ||yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block cross-origin CSS attacks||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Content Security Policy||Yes||Leading||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| CORS||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block visited link sniffing||Yes||Neutral||No||No||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Other | |||
|- | |||
| Do Not Track||Yes||Leading||No||No||No||No||No||No||No|| | |||
|- | |||
| Private browsing 582244 (2012-01-09) ||Yes||Neutral||No||No||Yes||Yes||Yes||Yes*||Yes||Prominent as of Firefox 20. [Prior it's there but hard to find. Go "new tab" then hit the menu button] | |||
|- | |||
| Process Sandboxing 730956 (2012-04-19) ||No||Neutral||No||No||No||No||No*||?||Yes||Based on Alex Russell's comments here: http://www.quora.com/Google-Chrome/Is-the-browser-in-Android-Honeycomb-Chrome-And-if-so-what-version-is-it | |||
|- | |||
| Master password||Yes||Leading||No||No||No||No||No||No|| || | |||
|- | |||
| CA Pinning 744204 (2012-04-10)||No|| || || || || || || ||Yes||Android - almost certainly not (not even market / play uses pinning). I've been trying to come up with a good test for this today - so far I've failed miserably | |||
|- | |||
| Click to Play||Yes||Leading||No||No||No||No||No||No|| ||Android default for plugins is "Always on". There are options for "Always on" "On demand" and "Off" | |||
|- | |||
| Javascript controls||No**||Trailing||Yes||Yes||Yes||No||Yes||Yes|| ||Fennec has no option to disable JS in UI. Can change javascript.enabled in about:config. Android JS can be disabled, defaults to enabled | |||
|- | |||
| Cookie controls||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||No individual option for clearing, Fennec data clearing is under Clear private data. Android cookie storage is enabled by default. Cookies can be cleared. | |||
|- | |||
| Password controls||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||No individual option for clearing. Fennec data clearing is under Clear private data. Passwords are saved by default in android. Stored passwords can be cleared. | |||
|- | |||
| Security warnings||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||Fennec has no option for Security warnings, but they are enabled by default. Security warnings are enabled by default on Android | |||
|- | |||
| Permissions manager?||Yes?||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||Fennec has option for "Clear site settings" didn't see a more granular option. 4.0.3 Settings->Advanced->Website Settings allows you to clear individual settings/data per website (e.g. localstorage, geolocation) | |||
|- | |||
| SNI (Server Name Indication)||Yes||Neutral||No||No||Yes||Yes||Yes||Yes||Yes|| | |||
|} | |||
Latest revision as of 20:54, 1 April 2013
About
A comparison of security features for various Android mobile browsers
Security Feature Support
| Feature | Firefox for Android | Leading, Neutral, Trailing | Android 2.2.x | Android 2.3.x | Android 3.0.x | Android 3.1.x | Android 3.2.x | Android 4.0.x | Chrome | Notes |
| HTTPOnly cookie attribute | Yes | Leading | No | No | No | No | Yes | Yes | ||
| Secure cookie attribute | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | Yes | |
| STS | Yes | Leading | No | No | No | No | No | Yes | ||
| X-Frame-Options | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Origin header 446344 (2011-01-05) | No | Trailing | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Browserscope tests | ||||||||||
| postMessage | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| JSON.parse | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| toStaticHTML 443564 (2008-10-06) | No | Neutral | No | No | No | No | No | No | ||
| X-Content-Type-Options 471020 (2012-06-04) | No | Neutral | No | No | No | No | No | Yes | ||
| Block reflected XSS 528661 (2012-06-04) | No | Neutral | No | No | No | No | No | Yes | ||
| Block location spoofing | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block JSON Hijacking | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block XSS in CSS | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| iFrame sandbox attribute 341604 (2012-06-04) | yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block cross-origin CSS attacks | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Content Security Policy | Yes | Leading | No | No | No | No | No | Yes | ||
| CORS | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Block visited link sniffing | Yes | Neutral | No | No | Yes | Yes | Yes | Yes | ||
| Other | ||||||||||
| Do Not Track | Yes | Leading | No | No | No | No | No | No | No | |
| Private browsing 582244 (2012-01-09) | Yes | Neutral | No | No | Yes | Yes | Yes | Yes* | Yes | Prominent as of Firefox 20. [Prior it's there but hard to find. Go "new tab" then hit the menu button] |
| Process Sandboxing 730956 (2012-04-19) | No | Neutral | No | No | No | No | No* | ? | Yes | Based on Alex Russell's comments here: http://www.quora.com/Google-Chrome/Is-the-browser-in-Android-Honeycomb-Chrome-And-if-so-what-version-is-it |
| Master password | Yes | Leading | No | No | No | No | No | No | ||
| CA Pinning 744204 (2012-04-10) | No | Yes | Android - almost certainly not (not even market / play uses pinning). I've been trying to come up with a good test for this today - so far I've failed miserably | |||||||
| Click to Play | Yes | Leading | No | No | No | No | No | No | Android default for plugins is "Always on". There are options for "Always on" "On demand" and "Off" | |
| Javascript controls | No** | Trailing | Yes | Yes | Yes | No | Yes | Yes | Fennec has no option to disable JS in UI. Can change javascript.enabled in about:config. Android JS can be disabled, defaults to enabled | |
| Cookie controls | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | No individual option for clearing, Fennec data clearing is under Clear private data. Android cookie storage is enabled by default. Cookies can be cleared. | |
| Password controls | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | No individual option for clearing. Fennec data clearing is under Clear private data. Passwords are saved by default in android. Stored passwords can be cleared. | |
| Security warnings | Yes | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | Fennec has no option for Security warnings, but they are enabled by default. Security warnings are enabled by default on Android | |
| Permissions manager? | Yes? | Neutral | Yes | Yes | Yes | Yes | Yes | Yes | Fennec has option for "Clear site settings" didn't see a more granular option. 4.0.3 Settings->Advanced->Website Settings allows you to clear individual settings/data per website (e.g. localstorage, geolocation) | |
| SNI (Server Name Indication) | Yes | Neutral | No | No | Yes | Yes | Yes | Yes | Yes |