Security/Features/SameDomainCookie
From MozillaWiki
Please use "Edit with form" above to edit this page.
Status
| Same Domain Cookies | |
| Stage | Draft |
| Status | In progress |
| Release target | Firefox 20 |
| Health | OK |
| Status note | https://bugzilla.mozilla.org/show_bug.cgi?id=795346 |
Team
| Product manager | ` |
| Directly Responsible Individual | Mark Goodwin |
| Lead engineer | ` |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
Open issues/risks
`
Stage 1: Definition
1. Feature overview
SameDomain cookie is a CSRF prevention measure
The mechanism consists of a new cookie flag (tentatively called SameDomain) which, when set, instructs the browser to only send the cookie when the cookie domain attribute matches the domain of the referring URI. Aside from this restriction, browser should behave exactly as they would otherwise.
2. Users & use cases
`
3. Dependencies
`
4. Requirements
The goal of this feature is to provide a robust CSRF protection mechanism which is simple to understand and easy for site owners to implement. (more detail to follow)
Non-goals
`
Stage 2: Design
5. Functional specification
`
6. User experience design
There should be little or no user-visible associated with this feature.
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
`
Feature details
| Priority | P3 |
| Rank | 999 |
| Theme / Goal | Web Hardening |
| Roadmap | Security |
| Secondary roadmap | Platform |
| Feature list | ` |
| Project | ` |
| Engineering team | ` |
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | sec-review-unnecessary | should be floated as spec |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
Original writeup is here: http://people.mozilla.org/~mgoodwin/OriginOnly/
