SummerOfCode/2013/SecurityReport: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 18: | Line 18: | ||
Schedule of userCSP project deliverable: | Schedule of userCSP project deliverable: | ||
* June 17 - June 30 (two weeks): Capture "error" and "warn" messages | * June 17 - June 30 (two weeks): | ||
Capture "error" and "warn" messages from Error Console. In particular, register event listener on | |||
"nsIConsoleService" or listen for console-api-log-event topic of | "nsIConsoleService" or listen for console-api-log-event topic of | ||
"consoleAPI". | "consoleAPI". | ||
* July 1 - July 14 (two weeks): Capture security related information | * July 1 - July 14 (two weeks): | ||
Capture security related information | |||
about cookie. In particular, I will use "nsICookie2", | about cookie. In particular, I will use "nsICookie2", | ||
"nsICookieService", "nsICookieManager2" APIs to get access to | "nsICookieService", "nsICookieManager2" APIs to get access to | ||
| Line 29: | Line 30: | ||
addition, I will also check for absence of "http-only" field. | addition, I will also check for absence of "http-only" field. | ||
* July 15 - July 21 (one week): Project discussion with the mentor and | * July 15 - July 21 (one week): | ||
Project discussion with the mentor and | |||
community on the design and GUI of this addon. | community on the design and GUI of this addon. | ||
* July 22 - August 11 (three weeks): Validate SSL certificates, | * July 22 - August 11 (three weeks): | ||
Validate SSL certificates, | |||
session wise (for each browser session) maintain a whitelist of good | session wise (for each browser session) maintain a whitelist of good | ||
SSL certificate to avoid duplicate checking of SSL certificate | SSL certificate to avoid duplicate checking of SSL certificate | ||
| Line 40: | Line 43: | ||
(such as, CERT_REVOKED, CERT_EXPIRED, etc). | (such as, CERT_REVOKED, CERT_EXPIRED, etc). | ||
* August 12 - August 25 (two weeks): Integrate it in GCLI commands to | * August 12 - August 25 (two weeks): | ||
Integrate it in GCLI commands to | |||
invoke/show add-on UI, display security errors, hide add-on UI, etc. | invoke/show add-on UI, display security errors, hide add-on UI, etc. | ||
In particular, I will import "gcli.jsm" library from devtools and | In particular, I will import "gcli.jsm" library from devtools and | ||
| Line 49: | Line 53: | ||
displays only security report user in a bubble. | displays only security report user in a bubble. | ||
* August 26 - September 8 (two weeks): Identify what are the other | * August 26 - September 8 (two weeks): | ||
Identify what are the other | |||
types of errors (such as CORS, mixed content). In particular, detect | types of errors (such as CORS, mixed content). In particular, detect | ||
security errors occurred due to CORS request, mixed content in web | security errors occurred due to CORS request, mixed content in web | ||
page, etc and display it to users. | page, etc and display it to users. | ||
* September 9 - September 22 (two weeks): Develop test cases and test | * September 9 - September 22 (two weeks): | ||
Develop test cases and test | |||
add-on with a few websites that contain security errors. In | add-on with a few websites that contain security errors. In | ||
particular, check whether the add-on correctly reports all supported | particular, check whether the add-on correctly reports all supported | ||
security errors to user or not. | security errors to user or not. | ||
* September 23 - September 27 (5 days): Ensure code is available on | * September 23 - September 27 (5 days): | ||
Ensure code is available on | |||
Google Code and in the Mozilla addon repository. | Google Code and in the Mozilla addon repository. | ||
Revision as of 10:39, 28 May 2013
Project Title: User Specified Content Security Policy
Goal: The goal of this project is to allow savvy users to be able to voluntarily specify their own CSP policies for websites that have not implemented CSP policies. And automatically infer CSP policies for frequently visited websites if neither user nor web site publisher specify the CSP policy.
Developer
- PATIL Kailas < patilkr24 AT gmail DOT com >
Project Wiki
Project Status
Schedule of userCSP project deliverable:
- June 17 - June 30 (two weeks):
Capture "error" and "warn" messages from Error Console. In particular, register event listener on "nsIConsoleService" or listen for console-api-log-event topic of "consoleAPI".
- July 1 - July 14 (two weeks):
Capture security related information about cookie. In particular, I will use "nsICookie2", "nsICookieService", "nsICookieManager2" APIs to get access to cookies and check whether website set cookies as secure or not. In addition, I will also check for absence of "http-only" field.
- July 15 - July 21 (one week):
Project discussion with the mentor and community on the design and GUI of this addon.
- July 22 - August 11 (three weeks):
Validate SSL certificates, session wise (for each browser session) maintain a whitelist of good SSL certificate to avoid duplicate checking of SSL certificate within the same session. In particular, I will use "nsISSLStatusProvider" API to get SSL certificate details. The "nsIX509Cert" API to compare various status code for SSL certificate (such as, CERT_REVOKED, CERT_EXPIRED, etc).
- August 12 - August 25 (two weeks):
Integrate it in GCLI commands to invoke/show add-on UI, display security errors, hide add-on UI, etc. In particular, I will import "gcli.jsm" library from devtools and use "addCommand" method to add GCLI commands. For example, "security-report[showUI, hideUI, print]". The "security-report showUI" command will display add-on UI. The "security-report hideUI" command hides add-on UI. The "security-report print" command displays only security report user in a bubble.
- August 26 - September 8 (two weeks):
Identify what are the other types of errors (such as CORS, mixed content). In particular, detect security errors occurred due to CORS request, mixed content in web page, etc and display it to users.
- September 9 - September 22 (two weeks):
Develop test cases and test add-on with a few websites that contain security errors. In particular, check whether the add-on correctly reports all supported security errors to user or not.
- September 23 - September 27 (5 days):
Ensure code is available on Google Code and in the Mozilla addon repository.
Weekly Status Updates: