MozillaWiki

Security/Features: Difference between revisions

Page Discussion

Security/Features (view source)

Revision as of 18:43, 10 January 2014

3,698 bytes added ,  10 January 2014
no edit summary
No edit summary
 
(23 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This page lists the security features under development and our plans for deployment.
{{warning|This page is no longer maintained.  Please see [[SecurityEngineering/Roadmap]] for current projects}}
 
This page once listed the security features under development and our plans for deployment.


= Status Overview =
= Status Overview =


{|class="fullwidth-table sortable" border
<table class="fullwidth-table sortable" border>
| '''Feature'''
<tr>
| '''Design'''
<th> Feature </th>
| '''Discussion'''
<th> Design </th>
| '''Review & Standards'''
<th> Discussion </th>
| '''Prototype'''  
<th> Review & Standards </th>
| '''Implementation'''
<th> Prototype  </th>
|-
<th> Implementation </th>
| Origin
<th> Version Target </th>
| Done
</tr>
| Done
<tr>
| In Progress
<td style='background-color:;'> Origin </td>
|
<td style='background-color:#cfc;'> Done </td>
|
<td style='background-color:#cfc;'> Done </td>
|-
<td style='background-color:#ffc;'> In Progress</td>
| [[Security/CSP|CSP]]  
<td style='background-color:#fcc;'>Not Started </td>
| Done (2/2009)
<td style='background-color:#fcc;'>Not Started</td>
| Pretty Much Done (9/2009)
<td style='background-color:#fcc;'>  </td>
|
</tr>
| Done (8/2008)
<tr>
| [http://hg.mozilla.org/mozilla-central/rev/7229621a1886 Done] (3/2010)
<td style='background-color:;'> [[Security/CSP|CSP]] </td>
|-
<td style='background-color:#cfc;'> Done (2/2009)</td>
| [https://bugzilla.mozilla.org/show_bug.cgi?id=495115 ForceTLS]  
<td style='background-color:#dfc;'> Pretty Much Done (9/2009)</td>
| Done (Q2 2009)
<td style='background-color:#fcc;'> Not Started</td>
| In Progress
<td style='background-color:#cfc;'> Done (8/2008)</td>
| In Progress
<td style='background-color:#cfc;'> [http://hg.mozilla.org/mozilla-central/rev/7229621a1886 Done] (3/2010)</td>
| Done (6/2009)
<td style='background-color:#cfc;'> 4.0 </td>
| In Progress
</tr>
|-
<tr>
| [[Security/ProcessIsolation|Process Isolation]]  
<td style='background-color:;'> [https://bugzilla.mozilla.org/show_bug.cgi?id=495115 ForceTLS] </td>
| Done
<td style='background-color:#cfc;'> Done (Q2 2009)</td>
| In Progress
<td style='background-color:#ffc;'> In Progress</td>
|
<td style='background-color:#ffc;'> [http://tools.ietf.org/html/draft-hodges-strict-transport-sec In Progress]</td>
|
<td style='background-color:#cfc;'> Done (8/2010)</td>
| In Progress
<td style='background-color:#cfc;'> [http://hg.mozilla.org/mozilla-central/rev/5dc3c2d2dd4f Done] (8/2009)</td>
|-
<td style='background-color:#cfc;'> 4.0 </td>
| X-Frame-Options
</tr>
| Done (Previous)
<tr>
| In Progress (stable)
<td style='background-color:;'> [[Security/ProcessIsolation|Process Isolation]] </td>
| Done (Previous)
<td style='background-color:#cfc;'> Done</td>
|  
<td style='background-color:#ffc;'> In Progress</td>
| In Progress
<td style='background-color:;'>&nbsp;</td>
|}
<td style='background-color:#eee;'> n/a </td>
<td style='background-color:#ffc;'> In Progress</td>
<td style='background-color:#ffc;'> ? </td>
</tr>
<tr>
<td style='background-color:;'> X-Frame-Options</td>
<td style='background-color:#cfc;'> Done (Previous)</td>
<td style='background-color:#ffc;'> In Progress (stable)</td>
<td style='background-color:#cfc;'> Done (Previous)</td>
<td style='background-color:#eee;'> n/a </td>
<td style='background-color:#cfc;'> [https://bugzilla.mozilla.org/show_bug.cgi?id=475530 Done]</td>
<td style='background-color:#cfc;'> 4.0 </td>
</tr>
<tr>
<td style='background-color:;'> [[Security/Features/Content Hashing|Content Hashing]]</td>
<td style='background-color:#ffc;'> in progress</td>
<td style='background-color:#ffc;'> in progress </td>
<td style='background-color:#fcc;'> tbd </td>
<td style='background-color:#fcc;'> tbd </td>
<td style='background-color:#fcc;'> tbd </td>
<td style='background-color:#fcc;'> ? </td>
</tr>
<tr>
<td style='background-color:;'> [[Security/Features/XSS Filter|XSS Filter]]</td>
<td style='background-color:#ffc;'> in progress</td>
<td style='background-color:#ffc;'> in progress </td>
<td style='background-color:#fcc;'> tbd </td>
<td style='background-color:#fcc;'> tbd </td>
<td style='background-color:#fcc;'> tbd </td>
<td style='background-color:#fcc;'> ? </td>
</tr>
 
</table>


= Projects =
= Projects =
This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.   
This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.   
SEE ALSO: [[Privacy/Features/]]
== Origin Header / Sec-From ==
== Origin Header / Sec-From ==
Beginning as an [[Security/Origin]] header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into [[Security/Sec-From]] that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.
Beginning as an [[Security/Origin]] header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into [[Security/Sec-From]] that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.
Line 183: Line 220:


Tasks:
Tasks:
* {{ok|IETF?}}
* {{ok|[http://tools.ietf.org/html/draft-hodges-strict-transport-sec IETF]}}
* {{ok|W3C?}}  (Currently submitted here by Paypal)
* <s>{{ok|W3C?}}  (Currently submitted here by Paypal)</s>


'''Prototype''': Done.  (6/2009)
'''Prototype''': Done.  (6/2009)
Line 195: Line 232:
* {{done|submit to AMO for screening and public dissemination}}
* {{done|submit to AMO for screening and public dissemination}}


'''Implementation''': In ProgressETA: Q2 2010
'''Implementation''': Done(8/2010)


Tasks:
Tasks:
* {{done|convert prototype to C++}} -- partially in JS, see {{bug|495115}}
* {{done|convert prototype to C++}} -- partially in JS, see {{bug|495115}}
* {{done|pick optimal location to scan for header}}
* {{done|pick optimal location to scan for header}}
* {{ok|write unit tests}}
* {{done|write unit tests}}
* {{ok|land on trunk}}
* {{done|[http://hg.mozilla.org/mozilla-central/rev/5dc3c2d2dd4f land] on trunk}}


== Process Isolation ==
== Process Isolation ==


'''Design''': In Process.
'''Design''': In Process.
https://wiki.mozilla.org/Electrolysis


''Goals''
''Goals''
* Create infrastructure to allow process separation within Firefox
* Create infrastructure to allow process separation within Firefox
* Put plugins in a separate process for stability reasons
* Create separate content processes for stability and performance reasons
* Create separate content processes for stability and performance reasons
* Implemented isolated processes to reduce the damage for various types of vulnerabilities
* Implemented isolated processes to reduce the damage for various types of vulnerabilities
Line 215: Line 255:
* {{done|[[Electrolysis#Phase_I:_Bootstrap|Phase 1 (bootstrap)]]}}
* {{done|[[Electrolysis#Phase_I:_Bootstrap|Phase 1 (bootstrap)]]}}
* {{done|[[IPC_Protocols]] design}}
* {{done|[[IPC_Protocols]] design}}
* {{ok|[[Electrolysis#Phase_II:_Parallel_Improvements|Phase 2 (Parallel Improvements)]]}}
* {{ok|}}[https://bugzilla.mozilla.org/showdependencytree.cgi?id=OOPP&hide_resolved=1 Out of process plugins]
* {{ok|[[Electrolysis#Phase_III:_extensions.2C_compatibility.2C_and_performance|Phase 3 (Extensions, Compatibility and Performance)]]}}
* {{ok|}}[https://wiki.mozilla.org/Electrolysis#Fennec_OOP-Tabs_Phase_II_.28In_process.29 Multi-process tabs]
* {{ok|[[Electrolysis#Fennec_OOP-Tabs_Phase_III:_extensions.2Fcompatibility.2Fperformance|Phase 3 (Extensions, Compatibility and Performance)]]}}
* {{ok|[[Electrolysis#Phase_IV:_Multiple_content_processes|Phase 4 (Multiple content processes)]]}}
* {{ok|[[Electrolysis#Phase_IV:_Multiple_content_processes|Phase 4 (Multiple content processes)]]}}


Line 226: Line 267:
* {{done|Develop [[Security/ProcessIsolation/ThreatModel|threat model]]}}
* {{done|Develop [[Security/ProcessIsolation/ThreatModel|threat model]]}}


'''Review and Standardization''': ?
'''Review and Standardization''':
* IPD: https://wiki.mozilla.org/IPDL
* Pepper API could allow for sandboxed plugins: https://wiki.mozilla.org/Plugins:PlatformIndependentNPAPI


'''Prototype''': In Process.
'''Prototype''': In Process.
* [[Content_Processes/Build|Build Instructions for Prototype]]
* [[Content_Processes/Build|Build Instructions for Prototype]]


'''Implementation''': ?
'''Implementation''':


''Phases''
https://wiki.mozilla.org/Electrolysis#Implementation
* Plugin process separation - due to ship in Lorentz
* Out of process tabs - in process
* Add-on multi-process support and compatibility
* Performance, caching, process pools
* Sandboxing, of content processes and hopefully plugins


== <tt>X-Frame-Options</tt> ==
== <tt>X-Frame-Options</tt> ==
Line 249: Line 299:
* {{done|Make sure this will work along side [Security/CSP]}}
* {{done|Make sure this will work along side [Security/CSP]}}


'''Review and Standardization''':  ?
'''Review and Standardization''':
 
There does not exist a formal specification. Eric Lawrence's [http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx blog post on X-Frame-Options] serves as the closest thing to a spec.


'''Prototype''': None.
'''Prototype''': None.


'''Implementation''':  In Process.
'''Implementation''':  Done (see [https://bugzilla.mozilla.org/show_bug.cgi?id=475530 bug 4755300]).


''Tasks''
''Tasks''
Line 259: Line 311:
* {{done|Implement Patch}}
* {{done|Implement Patch}}
* {{done|Implement Unit Tests}}
* {{done|Implement Unit Tests}}
* {{ok|Get reviewed and land on trunk}}
* {{done|Get reviewed and land on trunk}}
Curtisk
canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/214687...879339"