Site security state store
From MozillaWiki
Please use "Edit with form" above to edit this page.
Status
| Site security state store | |
| Stage | Draft |
| Status | ` |
| Release target | ` |
| Health | OK |
| Status note | ` |
Team
| Product manager | ` |
| Directly Responsible Individual | ` |
| Lead engineer | ` |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
Open issues/risks
`
Stage 1: Definition
1. Feature overview
There have been several HTTP extensions that handle security attributes such as HSTS and ca-pinning. These attributes are site initiated and thus should have different semantics than pinning. Currently this data lives on the site permissions with three main problems:
- access r/w is not thread safe
- is not aware of private browsing
- Does not allow for storage of arbitrary data.
2. Users & use cases
- HSTS Storage
- CA Pinning storage
3. Dependencies
`
4. Requirements
- Thread safe
- Private browsing aware
- Store for JSON data
- Expiration for data
- indexed on per site
- Allowing tree queries, but limit them to eTLD+1
- Scriptable access.
- Atomic quering and insertion.
- have a simple way to embed defaults in the source (for new profiles or db corruption)
Nice to have:
- Optimized for minimal impact to page loads. Most pages would not have any of this.
- Optimize the call pattern so we can minimize the number of method calls (i.e. callers should be able to check at the beginning of a page load and then not again, rather than one call per resource).
- Incorporate cert exceptions if possible.
To think about:
- If we still care about CAPS, replace it with this.
Non-goals
- While the data in this storage shall not be directly accessible to sites we will not commit to prevent tracking via this data set.
Stage 2: Design
5. Functional specification
`
6. User experience design
`
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
`
Feature details
| Priority | Unprioritized |
| Rank | 999 |
| Theme / Goal | ` |
| Roadmap | ` |
| Secondary roadmap | ` |
| Feature list | ` |
| Project | ` |
| Engineering team | ` |
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
