Security/Features

From MozillaWiki
Jump to navigation Jump to search

This page lists the security features under development and our plans for deployment.

Status Overview

Feature Design Discussion Review & Standards Prototype Implementation
Sec-From Done Done In Progress
CSP Done (2/2009) In Progress Done (8/2008) In Progress
ForceTLS Done (Q2 2009) In Progress In Progress Done (6/2009) In Progress
Process Isolation Done In Progress In Progress In Progress

Projects

This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.

Origin Header / Sec-From

Beginning as an Security/Origin header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into Security/Sec-From that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.

Design: Done (6/18/2009) Discussion over the behavior and uses of Sec-From has been ongoing.

Tasks:

  • [DONE] Write up an informal spec Security/Origin
  • [DONE] Unify spec with Adam Barth's Internet Draft [1].
  • [ON TRACK] Unify with CORS "Origin" or pick a new header name to avoid incompatibility. Reworked as Security/Sec-From.

Such an "Origin" header is also mentioned in HTML 5 [2].

Goals:

  • Provide a reliably present "referrer" that
    • has minimal potential for privacy leak
    • reflects all redirects participating in the request
  • aid in detecting CSRF attempts
  • aid in preventing JSON data theft

Discussion: In Progress

We've synced up with Adam Barth and settled on a design. He is working with the CORS folks to see if his proposal can be unified with the Origin header they send.

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html
discussion about renaming from "Origin"

Tasks:

  • [DONE] Settle on a design. Security/Sec-From
  • [ON TRACK] Initiate public discussion on newsgroups and other public forums


Review and Standardization: In Progress. ETA: ?

Tasks:

  • [ON TRACK] Find appropriate standards body to review this feature.
  • [ON TRACK] Submit to standards body. Security/Sec-From


Prototype: Not Started. ETA: Q4 2009

Tasks:

  • [ON TRACK] create add-on that appropriately serves this header.
  • [ON TRACK] create test suite that verifies values and presence of the header.

Implementation: Not Started. ETA: ?

Tasks:

  • [ON TRACK] patch mozilla-central
  • [ON TRACK] convert prototype test suite to automated tests

Content Security Policy

Design: In Progress. ETA: Q3 2009

Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities including Cross Site Scripting.

The CSP spec has been iterated upon many times and is approaching a stable configuration.

Goals

  • (Primary) Mitigate Cross Site Scripting (XSS)
  • Mitigate Clickjacking
  • Mitigate Packet Sniffing Attacks
  • Backward Compatibility with sites not employing CSP

Tasks:

Discussion: In Progress.

Public discussion of the CSP design and specification has taken place in mozilla.dev.security. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion.

Tasks:

  • [DONE] discuss Security/CSP/Spec spec in public forums
  • [DONE] get feedback (rinse, repeat) until comments are trivial
  • [ON TRACK] come to decision about whether or not to support meta tags
  • [ON TRACK] come to decision about whether or not to support multiple HTTP headers

Review and Standardization: In Progress. ETA: ?

Appropriate paths for standardization and external review are being explored.

Tasks:

  • [ON TRACK] find a standards body that should review CSP
  • [ON TRACK] submit formal spec for review/feedback

Prototype: Done. (8/2008)

Prototype implementation was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions.

Tasks:

  • [DONE] create add-on that enforces policies (minus base restrictions)


Implementation: In Progress. ETA: Q3 2009

CSP as specified is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in bug 493857.

Tasks:

  • [DONE] make patch to parse CSP policy in headers
  • [DONE] make patch to enforce CSP policy directives
  • [DONE] make patch to report policy violations
  • [ON TRACK] make patch to implement base restriction enforcements
  • [ON TRACK] land patch on trunk
  • [ON TRACK] create document explaining how to write a good policy
  • [ON TRACK] create document explaining how to convert a site to support CSP
  • [ON TRACK] create server-based test suite (for other UAs who implement CSP)

ForceTLS

Design: Done (6/18/2009)

http://forcetls.sidstamm.com/

Goals

  • Allow sites to "default" to HTTPS
  • Help prevent MITM due to HTTPS stripping (re-serving sites as HTTP instead of HTTPS).

Discussion: Done.

The topic is pretty much simple and the edge cases have mostly been taken care of. Any remaining issues will be exposed in the standardization process.

Review and Standardization: In Progress. ETA: ?

Prototype: Done. (6/2009)

https://addons.mozilla.org/en-US/firefox/addon/12714

Implementation: Not Started. ETA: ?

Process Isolation

Design: Done (6/18/2009)

Goals

  • Reduce the damage for various types of vulnerabilities within Firefox.

Discussion: In Progress.

Review and Standardization:  ?

Prototype: ?

Implementation:  ?

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Features&oldid=155504"