MozillaWiki

SummerOfCode/2013/SecurityReport

< SummerOfCode
Revision as of 10:38, 28 May 2013 by Patilkr (talk | contribs)

Project Title: User Specified Content Security Policy


Goal: The goal of this project is to allow savvy users to be able to voluntarily specify their own CSP policies for websites that have not implemented CSP policies. And automatically infer CSP policies for frequently visited websites if neither user nor web site publisher specify the CSP policy.

Developer

  • PATIL Kailas < patilkr24 AT gmail DOT com >


Project Wiki

WikiPage

Project Status

Schedule of userCSP project deliverable:

  • June 17 - June 30 (two weeks): Capture "error" and "warn" messages
 from Error Console. In particular, register event listener on
 "nsIConsoleService" or listen for console-api-log-event topic of
 "consoleAPI".
  • July 1 - July 14 (two weeks): Capture security related information
 about cookie. In particular, I will use "nsICookie2",
 "nsICookieService", "nsICookieManager2" APIs to get access to
 cookies and check whether website set cookies as secure or not. In
 addition, I will also check for absence of "http-only" field.
  • July 15 - July 21 (one week): Project discussion with the mentor and
 community on the design and GUI of this add­on.
  • July 22 - August 11 (three weeks): Validate SSL certificates,
 session wise (for each browser session) maintain a whitelist of good
 SSL certificate to avoid duplicate checking of SSL certificate
 within the same session. In particular, I will use
 "nsISSLStatusProvider" API to get SSL certificate details. The
 "nsIX509Cert" API to compare various status code for SSL certificate
 (such as, CERT_REVOKED, CERT_EXPIRED, etc).
  • August 12 - August 25 (two weeks): Integrate it in GCLI commands to
 invoke/show add-on UI, display security errors, hide add-on UI, etc.
 In particular, I will import "gcli.jsm" library from devtools and
 use "addCommand" method to add GCLI commands. For example,
 "security-report[showUI, hideUI, print]". The "security-report
 showUI" command will display add-on UI. The "security-report hideUI"
 command hides add-on UI. The "security-report print" command
 displays only security report user in a bubble.
  • August 26 - September 8 (two weeks): Identify what are the other
 types of errors (such as CORS, mixed content). In particular, detect
 security errors occurred due to CORS request, mixed content in web
 page, etc and display it to users.
  • September 9 - September 22 (two weeks): Develop test cases and test
 add-on with a few websites that contain security errors. In
 particular, check whether the add-on correctly reports all supported
 security errors to user or not.
  • September 23 - September 27 (5 days): Ensure code is available on
 Google Code and in the Mozilla add­on repository.

Weekly Status Updates:


Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2013/SecurityReport&oldid=660870"