Security/Features

From MozillaWiki
Jump to: navigation, search
Warning signWarning: This page is no longer maintained. Please see SecurityEngineering/Roadmap for current projects

This page once listed the security features under development and our plans for deployment.

Status Overview

Feature Design Discussion Review & Standards Prototype Implementation Version Target
Origin Done Done In Progress Not Started Not Started
CSP Done (2/2009) Pretty Much Done (9/2009) Not Started Done (8/2008) Done (3/2010) 4.0
ForceTLS Done (Q2 2009) In Progress In Progress Done (8/2010) Done (8/2009) 4.0
Process Isolation Done In Progress   n/a In Progress  ?
X-Frame-Options Done (Previous) In Progress (stable) Done (Previous) n/a Done 4.0
Content Hashing in progress in progress tbd tbd tbd  ?
XSS Filter in progress in progress tbd tbd tbd  ?

Projects

This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.

SEE ALSO: Privacy/Features/

Origin Header / Sec-From

Beginning as an Security/Origin header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into Security/Sec-From that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.

Design: Done (6/18/2009) Discussion over the behavior and uses of Sec-From has been ongoing.

Tasks:

  • [DONE] Write up an informal spec Security/Origin
  • [DONE] Unify spec with Adam Barth's Internet Draft [1].
  • [DONE] Unify with CORS "Origin" or pick a new header name to avoid incompatibility. Reworked as Security/Sec-From.

Such an "Origin" header is also mentioned in HTML 5 [2].

Goals:

  • Provide a reliably present "referrer" that
    • has minimal potential for privacy leak
    • reflects all redirects participating in the request
  • aid in detecting CSRF attempts
  • aid in preventing JSON data theft

Discussion: In Progress

We've synced up with Adam Barth and settled on a design. He is working with the CORS folks to see if his proposal can be unified with the Origin header they send.

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html 
discussion about renaming from "Origin"

Tasks:

  • [DONE] Settle on a design. Security/Sec-From
  • [ON TRACK] Initiate public discussion on newsgroups and other public forums


Review and Standardization: In Progress. ETA: ?

Tasks:

  • [DONE] Find appropriate standards body to review this feature (IETF).
  • [DONE] Submit to standards body. (Adam is leading this)


Prototype: Not Started. ETA: Q4 2009

Tasks:

  • [ON TRACK] create add-on that appropriately serves this header.
  • [ON TRACK] create test suite that verifies values and presence of the header.

Implementation: Not Started. ETA: ?

Tasks:

  • [ON TRACK] patch mozilla-central
  • [ON TRACK] convert prototype test suite to automated tests

Content Security Policy

Design: In Progress. ETA: Q3 2009

Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities including Cross Site Scripting.

The CSP spec has been iterated upon many times and is approaching a stable configuration.

Goals

  • (Primary) Mitigate Cross Site Scripting (XSS)
  • Mitigate Clickjacking
  • Mitigate Packet Sniffing Attacks
  • Backward Compatibility with sites not employing CSP

Tasks:

Discussion: In Progress.

Public discussion of the CSP design and specification has taken place in mozilla.dev.security. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion.

Tasks:

  • [DONE] discuss Security/CSP/Spec spec in public forums
  • [DONE] get feedback (rinse, repeat) until comments are trivial
  • [DONE] come to decision about whether or not to support meta tags (not supporting)
  • [DONE] come to decision about whether or not to support multiple HTTP headers

Review and Standardization: In Progress. ETA: ?

Appropriate paths for standardization and external review are being explored.

Tasks:

  • [ON TRACK] find a standards body that should review CSP
  • [ON TRACK] submit formal spec for review/feedback

Prototype: Done. (8/2008)

Prototype implementation was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions.

Tasks:

  • [DONE] create add-on that enforces policies (minus base restrictions)


Implementation: In Progress. ETA: Q3 2009

CSP as specified is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in bug 493857.

Tasks:

  • [DONE] make patch to parse CSP policy in headers
  • [DONE] make patch to enforce CSP policy directives
  • [DONE] make patch to report policy violations
  • [DONE] make patch to implement base restriction enforcements
  • [DONE] land patch on trunk
  • [ON TRACK] create document explaining how to write a good policy
  • [ON TRACK] create document explaining how to convert a site to support CSP
  • [DONE] create server-based test suite (for other UAs who implement CSP)

ForceTLS / Strict-Transport-Security

Design: Done (6/18/2009) http://forcetls.sidstamm.com/

Tasks:

  • [DONE] spec out syntax -- JeffH drove this

Goals

  • Allow sites to "default" to HTTPS
  • Help prevent MITM due to HTTPS stripping (re-serving sites as HTTP instead of HTTPS).

Discussion: In Progress.

The topic is pretty much simple and the edge cases have mostly been taken care of. Any remaining issues will be exposed in the standardization process.

Tasks:

  • [DONE] lead internal discussion about use/feature set -- JeffH drove this
  • [ON TRACK] discuss in a public forum


Review and Standardization: In Progress. See Strict Transport Security for details.

Tasks:

  • [ON TRACK] IETF
  • [ON TRACK] W3C? (Currently submitted here by Paypal)

Prototype: Done. (6/2009)

https://addons.mozilla.org/en-US/firefox/addon/12714

Tasks:

  • [DONE] implement with tree-based host searching and SQLite client-side data storage
  • [DONE] write up summary of how to use the add-on
  • [DONE] submit to AMO for screening and public dissemination

Implementation: Done. (8/2010)

Tasks:

  • [DONE] convert prototype to C++ -- partially in JS, see bug 495115
  • [DONE] pick optimal location to scan for header
  • [DONE] write unit tests
  • [DONE] land on trunk

Process Isolation

Design: In Process.

https://wiki.mozilla.org/Electrolysis

Goals

  • Create infrastructure to allow process separation within Firefox
  • Put plugins in a separate process for stability reasons
  • Create separate content processes for stability and performance reasons
  • Implemented isolated processes to reduce the damage for various types of vulnerabilities

Tasks


Discussion: In Process.

tasks

Review and Standardization:

Prototype: In Process.

Implementation:

Phases https://wiki.mozilla.org/Electrolysis#Implementation

  • Plugin process separation - due to ship in Lorentz
  • Out of process tabs - in process
  • Add-on multi-process support and compatibility
  • Performance, caching, process pools
  • Sandboxing, of content processes and hopefully plugins

X-Frame-Options

Design: Done.

Goals

  • Allow sites to specify how they may be enframed
  • Help prevent Clickjacking
  • Be compatible with IE/WebKit implementations

Discussion: In Process.

tasks

  • [DROPPED] Discuss extensions of XFO with other implementation bodies (e.g., whole-tree-walking, etc.)
  • [DONE] Make sure this will work along side [Security/CSP]

Review and Standardization:

There does not exist a formal specification. Eric Lawrence's blog post on X-Frame-Options serves as the closest thing to a spec.

Prototype: None.

Implementation: Done (see bug 4755300).

Tasks

  • [DONE] Design Behavior
  • [DONE] Implement Patch
  • [DONE] Implement Unit Tests
  • [DONE] Get reviewed and land on trunk