Security/Features: Difference between revisions
m (→ForceTLS) |
|||
| Line 119: | Line 119: | ||
== Process Isolation == | == Process Isolation == | ||
=== Design === | |||
'''Status''': Done (6/18/2009) | |||
==== Goals ==== | |||
=== Discussion === | |||
'''Status''': ? | |||
=== Review and Standardization === | |||
'''Status''': In Progress. ETA: ? | |||
=== Prototype === | |||
'''Status''': Not Started. ETA: Q4 2009 | |||
=== Implementation === | |||
'''Status''': Not Started. ETA: ? | |||
Revision as of 17:31, 15 July 2009
This page lists the security features under development and our plans for deployment.
Status Overview
| Feature | Goals | Design | Discussion | Review & Standards | Prototype | Implementation |
| Sec-From | Done | Done | In Progress | |||
| CSP | Done (2/2009) | Done (5/2009) | In Progress | In Progress | In Progress | |
| ForceTLS | Done | In Progress | Done (5/2009) | Done (6/2009) | In Progress | |
| Process Isolation | Done | In Progress | In Progress | In Progress |
Projects
This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.
Origin Header / Sec-From
Beginning as an Security/Origin header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into Security/Sec-From that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.
Design
Status: Done (6/18/2009)
Discussion over the behavior and uses of Sec-From has been ongoing, but has merged with the Internet Draft spec proposed by Adam Barth et. al [1].
Header is also mentioned in HTML 5 [2].
Goals
- Provide a reliably present "referrer" that
- has minimal potential for privacy leak
- reflects all redirects participating in the request
- aid in detecting CSRF attempts
- aid in preventing JSON data theft
Discussion
Status: ?
We've synced up with Adam Barth and settled on a design. He is working with the CORS folks to see if his proposal can be unified with the Origin header they send.
- http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html
- discussion about renaming from "Origin"
Review and Standardization
Status: In Progress. ETA: ?
Prototype
Status: Not Started. ETA: Q4 2009
Implementation
Status: Not Started. ETA: ?
Content Security Policy
Design
Status: In Progress. ETA: Q3 2009
Goals
Discussion
Status: ?
Review and Standardization
Status: In Progress. ETA: ?
Prototype
Status: In Progress. ETA: Q4 2009
Implementation
Status: In Progress. ETA: ?
ForceTLS
Design
Status: Done (6/18/2009)
Goals
Discussion
Status: ?
Review and Standardization
Status: In Progress. ETA: ?
Prototype
Status: Not Started. ETA: Q4 2009
Implementation
Status: Not Started. ETA: ?
Process Isolation
Design
Status: Done (6/18/2009)
Goals
Discussion
Status: ?
Review and Standardization
Status: In Progress. ETA: ?
Prototype
Status: Not Started. ETA: Q4 2009
Implementation
Status: Not Started. ETA: ?