canmove, Confirmed users
1,220
edits
FirefoxOS/New security model: Difference between revisions
→CSP
Ptheriault (talk | contribs) |
Ptheriault (talk | contribs) (→CSP) |
||
| Line 68: | Line 68: | ||
</bugzilla> | </bugzilla> | ||
=== CSP | === CSP - {{Bug|1153423}} === | ||
We need to make sure that it can't load scripts from outside of the signed package. And we need to make sure that it can't use inline scripts. | |||
The plan is to use the CSP code to accomplish this. We can mainly leverage existing code which enables applying a default CSP policy to certain content. We'll use this to apply a default CSP to all signed content similarly to how we currently apply a default CSP to all privileged apps. | The plan is to use the CSP code to accomplish this. We can mainly leverage existing code which enables applying a default CSP policy to certain content. We'll use this to apply a default CSP to all signed content similarly to how we currently apply a default CSP to all privileged apps. | ||
| Line 82: | Line 77: | ||
We'll also need to extend it to enable it to enforce loads to happen "from same package", rather than just "from same origin". | We'll also need to extend it to enable it to enforce loads to happen "from same package", rather than just "from same origin". | ||
We also can't allow signed content to be opened in an <iframe>, other than by pages from the same signed package. This is partially to prevent signed content from getting clickjacked. However it's also because we want to always open signed content in a separate OS process, and currently gecko does not support out-of-process plain <iframe>s. | We also can't allow signed content to be opened in an <iframe>, other than by pages from the same signed package. This is partially to prevent signed content from getting clickjacked. However it's also because we want to always open signed content in a separate OS process, and currently gecko does not support out-of-process plain <iframe>s. | ||
| Line 89: | Line 82: | ||
Hopefully this is a restriction we can eventually relax, for example by allowing pages in a signed package to opt in to being iframe-able. But this will require out-of-process <iframe>s and so will have to wait. | Hopefully this is a restriction we can eventually relax, for example by allowing pages in a signed package to opt in to being iframe-able. But this will require out-of-process <iframe>s and so will have to wait. | ||
Bug XXX - ensure script-src 'self' is restricted to inside the signed package | |||
Bug XXX - default CSP for signed packaged content | |||
Bug XXX - create CSP tests for signed packages | |||
Bug XXX - investigate marketplace for apps that use CSP | |||
Bug XXX- Ensure that SW code is contain within package | |||
Bug XXX - ensure CSP actually prevents injecting inline script (through SW or otherwise) | |||
=== Process isolation === | === Process isolation === | ||