Security/Features: Difference between revisions
| Line 106: | Line 106: | ||
* Mitigate Packet Sniffing Attacks | * Mitigate Packet Sniffing Attacks | ||
* Backward Compatibility with sites not employing CSP | * Backward Compatibility with sites not employing CSP | ||
Tasks: | |||
* {{done|create specification}} [[Security/CSP/Spec]] | |||
* {{ok|write up example use cases}} | |||
'''Discussion''': In Progress. | '''Discussion''': In Progress. | ||
Public discussion of the CSP design and specification has taken place in [http://groups.google.com/group/mozilla.dev.security mozilla.dev.security]. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion. | Public discussion of the CSP design and specification has taken place in [http://groups.google.com/group/mozilla.dev.security mozilla.dev.security]. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion. | ||
Tasks: | |||
* {{done|discuss [[Security/CSP/Spec]] spec in public forums}} | |||
* {{done|get feedback (rinse, repeat) until comments are trivial}} | |||
* {{ok|come to decision about whether or not to support meta tags}} | |||
* {{ok|come to decision about whether or not to support multiple HTTP headers}} | |||
'''Review and Standardization''': In Progress. ETA: ? | '''Review and Standardization''': In Progress. ETA: ? | ||
Appropriate paths for standardization and external review are being explored. | Appropriate paths for standardization and external review are being explored. | ||
Tasks: | |||
* {{ok|find a standards body that should review CSP}} | |||
* {{ok|submit formal spec for review/feedback}} | |||
'''Prototype''': Done. (8/2008) | '''Prototype''': Done. (8/2008) | ||
[http://people.mozilla.org/~bsterne/content-security-policy/download.html Prototype implementation] was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions. | [http://people.mozilla.org/~bsterne/content-security-policy/download.html Prototype implementation] was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions. | ||
Tasks: | |||
* {{done|create add-on that enforces policies (minus base restrictions)}} | |||
| Line 123: | Line 141: | ||
CSP [[Security/CSP/Spec|as specified]] is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in {{bug|493857}}. | CSP [[Security/CSP/Spec|as specified]] is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in {{bug|493857}}. | ||
Tasks: | |||
* {{done|make patch to parse CSP policy in headers}} | |||
* {{done|make patch to enforce CSP policy directives}} | |||
* {{done|make patch to report policy violations}} | |||
* {{ok|make patch to implement base restriction enforcements}} | |||
* {{ok|land patch on trunk}} | |||
* {{ok|create document explaining how to write a good policy}} | |||
* {{ok|create document explaining how to convert a site to support CSP}} | |||
* {{ok|create server-based test suite (for other UAs who implement CSP)}} | |||
== ForceTLS == | == ForceTLS == | ||
Revision as of 19:12, 15 July 2009
This page lists the security features under development and our plans for deployment.
Status Overview
| Feature | Design | Discussion | Review & Standards | Prototype | Implementation |
| Sec-From | Done | Done | In Progress | ||
| CSP | Done (2/2009) | In Progress | Done (8/2008) | In Progress | |
| ForceTLS | Done (Q2 2009) | In Progress | In Progress | Done (6/2009) | In Progress |
| Process Isolation | Done | In Progress | In Progress | In Progress |
Projects
This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.
Origin Header / Sec-From
Beginning as an Security/Origin header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into Security/Sec-From that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.
Design: Done (6/18/2009) Discussion over the behavior and uses of Sec-From has been ongoing.
Tasks:
- [DONE] Write up an informal spec Security/Origin
- [DONE] Unify spec with Adam Barth's Internet Draft [1].
- [ON TRACK] Unify with CORS "Origin" or pick a new header name to avoid incompatibility. Reworked as Security/Sec-From.
Such an "Origin" header is also mentioned in HTML 5 [2].
Goals:
- Provide a reliably present "referrer" that
- has minimal potential for privacy leak
- reflects all redirects participating in the request
- aid in detecting CSRF attempts
- aid in preventing JSON data theft
Discussion: In Progress
We've synced up with Adam Barth and settled on a design. He is working with the CORS folks to see if his proposal can be unified with the Origin header they send.
- http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html
- discussion about renaming from "Origin"
Tasks:
- [DONE] Settle on a design. Security/Sec-From
- [ON TRACK] Initiate public discussion on newsgroups and other public forums
Review and Standardization: In Progress. ETA: ?
Tasks:
- [ON TRACK] Find appropriate standards body to review this feature.
- [ON TRACK] Submit to standards body. Security/Sec-From
Prototype: Not Started. ETA: Q4 2009
Tasks:
- [ON TRACK] create add-on that appropriately serves this header.
- [ON TRACK] create test suite that verifies values and presence of the header.
Implementation: Not Started. ETA: ?
Tasks:
- [ON TRACK] patch mozilla-central
- [ON TRACK] convert prototype test suite to automated tests
Content Security Policy
Design: In Progress. ETA: Q3 2009
Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities including Cross Site Scripting.
The CSP spec has been iterated upon many times and is approaching a stable configuration.
Goals
- (Primary) Mitigate Cross Site Scripting (XSS)
- Mitigate Clickjacking
- Mitigate Packet Sniffing Attacks
- Backward Compatibility with sites not employing CSP
Tasks:
- [DONE] create specification Security/CSP/Spec
- [ON TRACK] write up example use cases
Discussion: In Progress.
Public discussion of the CSP design and specification has taken place in mozilla.dev.security. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion.
Tasks:
- [DONE] discuss Security/CSP/Spec spec in public forums
- [DONE] get feedback (rinse, repeat) until comments are trivial
- [ON TRACK] come to decision about whether or not to support meta tags
- [ON TRACK] come to decision about whether or not to support multiple HTTP headers
Review and Standardization: In Progress. ETA: ?
Appropriate paths for standardization and external review are being explored.
Tasks:
- [ON TRACK] find a standards body that should review CSP
- [ON TRACK] submit formal spec for review/feedback
Prototype: Done. (8/2008)
Prototype implementation was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions.
Tasks:
- [DONE] create add-on that enforces policies (minus base restrictions)
Implementation: In Progress. ETA: Q3 2009
CSP as specified is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in bug 493857.
Tasks:
- [DONE] make patch to parse CSP policy in headers
- [DONE] make patch to enforce CSP policy directives
- [DONE] make patch to report policy violations
- [ON TRACK] make patch to implement base restriction enforcements
- [ON TRACK] land patch on trunk
- [ON TRACK] create document explaining how to write a good policy
- [ON TRACK] create document explaining how to convert a site to support CSP
- [ON TRACK] create server-based test suite (for other UAs who implement CSP)
ForceTLS
Design: Done (6/18/2009)
Goals
- Allow sites to "default" to HTTPS
- Help prevent MITM due to HTTPS stripping (re-serving sites as HTTP instead of HTTPS).
Discussion: Done.
The topic is pretty much simple and the edge cases have mostly been taken care of. Any remaining issues will be exposed in the standardization process.
Review and Standardization: In Progress. ETA: ?
Prototype: Done. (6/2009)
https://addons.mozilla.org/en-US/firefox/addon/12714
Implementation: Not Started. ETA: ?
Process Isolation
Design: Done (6/18/2009)
Goals
- Reduce the damage for various types of vulnerabilities within Firefox.
Discussion: In Progress.
Review and Standardization: ?
Prototype: ?
Implementation: ?