This page lists the security features under development and our plans for deployment.

Status Overview

Projects

This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.

Origin Header / Sec-From

Beginning as an Security/Origin header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into Security/Sec-From that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.

Design: Done (6/18/2009) Discussion over the behavior and uses of Sec-From has been ongoing.

Tasks:

• [DONE] Write up an informal spec Security/Origin
• [DONE] Unify spec with Adam Barth's Internet Draft [1].
• [ON TRACK] Unify with CORS "Origin" or pick a new header name to avoid incompatibility. Reworked as Security/Sec-From.

Such an "Origin" header is also mentioned in HTML 5 [2].

Goals:

• Provide a reliably present "referrer" that
  • has minimal potential for privacy leak
  • reflects all redirects participating in the request
• aid in detecting CSRF attempts
• aid in preventing JSON data theft

Discussion: In Progress

We've synced up with Adam Barth and settled on a design. He is working with the CORS folks to see if his proposal can be unified with the Origin header they send.

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html

discussion about renaming from "Origin"

Tasks:

• [DONE] Settle on a design. Security/Sec-From
• [NEW] Initiate public discussion on newsgroups and other public forums

Review and Standardization: In Progress. ETA: ?

Tasks:

• [ON TRACK] Find appropriate standards body to review this feature.
• [NEW] Submit to standards body. Security/Sec-From

Prototype: Not Started. ETA: Q4 2009

Tasks:

• [NEW] create add-on that appropriately serves this header.
• [NEW] create test suite that verifies values and presence of the header.

Implementation: Not Started. ETA: ?

Tasks:

• [NEW] patch mozilla-central
• [NEW] convert prototype test suite to automated tests

Content Security Policy

Design: In Progress. ETA: Q3 2009

Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities including Cross Site Scripting.

The CSP spec has been iterated upon many times and is approaching a stable configuration.

Goals

• (Primary) Mitigate Cross Site Scripting (XSS)
• Mitigate Clickjacking
• Mitigate Packet Sniffing Attacks
• Backward Compatibility with sites not employing CSP

Discussion: In Progress.

Public discussion of the CSP design and specification has taken place in mozilla.dev.security. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion.

Review and Standardization: In Progress. ETA: ?

Appropriate paths for standardization and external review are being explored.

Prototype: Done. (8/2008)

Prototype implementation was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions.

Implementation: In Progress. ETA: Q3 2009

CSP as specified is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in bug 493857.

ForceTLS

Design: Done (6/18/2009)

http://forcetls.sidstamm.com/

Goals

• Allow sites to "default" to HTTPS
• Help prevent MITM due to HTTPS stripping (re-serving sites as HTTP instead of HTTPS).

Discussion: Done.

The topic is pretty much simple and the edge cases have mostly been taken care of. Any remaining issues will be exposed in the standardization process.

Review and Standardization: In Progress. ETA: ?

Prototype: Done. (6/2009)

https://addons.mozilla.org/en-US/firefox/addon/12714

Implementation: Not Started. ETA: ?

Process Isolation

Design: Done (6/18/2009)

Goals

• Reduce the damage for various types of vulnerabilities within Firefox.

Discussion: In Progress.

Review and Standardization:  ?

Prototype: ?

Implementation:  ?