Site security state store
From MozillaWiki
Please use "Edit with form" above to edit this page.
Status
Site security state store | |
Stage | Draft |
Status | ` |
Release target | ` |
Health | OK |
Status note | ` |
Team
Product manager | ` |
Directly Responsible Individual | ` |
Lead engineer | ` |
Security lead | ` |
Privacy lead | ` |
Localization lead | ` |
Accessibility lead | ` |
QA lead | ` |
UX lead | ` |
Product marketing lead | ` |
Operations lead | ` |
Additional members | ` |
Open issues/risks
`
Stage 1: Definition
1. Feature overview
There have been several HTTP extensions that handle security attributes such as HSTS and ca-pinning. These attributes are site initiated and thus should have different semantics than pinning. Currently this data lives on the site permissions with three main problems:
- access r/w is not thread safe
- is not aware of private browsing
- Does not allow for storage of arbitrary data.
2. Users & use cases
- HSTS Storage
- CA Pinning storage
3. Dependencies
`
4. Requirements
- Thread safe
- Private browsing aware
- Store for JSON data
- Expiration for data
- indexed on per site
- Allowing tree queries, but limit them to eTLD+1
- Scriptable access.
- Atomic quering and insertion.
- have a simple way to embed defaults in the source (for new profiles or db corruption)
Nice to have:
- Optimized for minimal impact to page loads. Most pages would not have any of this.
- Optimize the call pattern so we can minimize the number of method calls (i.e. callers should be able to check at the beginning of a page load and then not again, rather than one call per resource).
- Incorporate cert exceptions if possible.
To think about:
- If we still care about CAPS, replace it with this.
Non-goals
- While the data in this storage shall not be directly accessible to sites we will not commit to prevent tracking via this data set.
Stage 2: Design
5. Functional specification
`
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
`
Feature details
Priority | Unprioritized |
Rank | 999 |
Theme / Goal | ` |
Roadmap | ` |
Secondary roadmap | ` |
Feature list | ` |
Project | ` |
Engineering team | ` |
Team status notes
status | notes | |
Products | ` | ` |
Engineering | ` | ` |
Security | ` | ` |
Privacy | ` | ` |
Localization | ` | ` |
Accessibility | ` | ` |
Quality assurance | ` | ` |
User experience | ` | ` |
Product marketing | ` | ` |
Operations | ` | ` |