Security/Features/Intranet CSRF Blocker

From MozillaWiki
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Status

Intranet CSRF Blocker
Stage On hold
Status In progress
Release target `
Health `
Status note `

{{#set:Feature name=Intranet CSRF Blocker

|Feature stage=On hold |Feature status=In progress |Feature version=` |Feature health=` |Feature status note=` }}

Team

Product manager Sid Stamm
Directly Responsible Individual `
Lead engineer Steve Workman
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members Brian Smith

{{#set:Feature product manager=Sid Stamm

|Feature feature manager=` |Feature lead engineer=Steve Workman |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=Brian Smith }}

Open issues/risks

`

Stage 1: Definition

1. Feature overview

Intranet CSRF Blocker enables Firefox to be aware of the source of network loads for sub-document resources, such as images, iframes, XHR, etc., and to use this extra context to decide if the network load should be permitted. The goal of this feature is to prevent web pages on the public Internet from causing a user's browser to send requests to resources residing on a private network.

2. Users & use cases

RFC 1918 defines the set of CIDR blocks which are not publicly addressable from the Internet and which are generally used to address hosts found on private home or enterprise networks. Included in this range are: 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8.

Starting around 2006, security researchers, notably Jeremiah Grossman and Robert Hansen, began pointing out an architectural weakness in the Web that allowed (untrusted) websites on the public Internet to cause requests to be sent to hosts on these private networks, which would otherwise be protected by NAT. Malicious requests of this type can be used by an attacker for: port scanning internal networks, reconfiguring home routers, sending print jobs to network printers, and CSRF to applications that use network access as authentication.

For more background, see:

3. Dependencies

See related bug 354493. Dependencies:

Full Query
ID Summary Status
255107 Prevent data: URLs from being used for XSS RESOLVED
584155 Add a scriptable SOCKS proxy server to allow testing of SOCKS client code RESOLVED
585191 Enable SOCKS proxy server in mochitests RESOLVED
1041420 Failures in all mozmill tests that uses localhost address RESOLVED
1041511 Can't access 'localhost:port' while on a remote page once bug 354493 was landed RESOLVED
1042157 Cant find local servers when Home Page is set RESOLVED
1042497 Unable to find the proxy server in tab where proxy is set after it's opened RESOLVED
1481298 [meta] Local Network Access NEW

8 Total; 1 Open (12.5%); 7 Resolved (87.5%); 0 Verified (0%);


4. Requirements

`

Non-goals

The reverse case, where a web page on a private network sends requests for non-private resources, is common and is not considered an attack case that we are trying to prevent.

Stage 2: Design

5. Functional specification

`

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

`

Stage 5: Release

10. Landing criteria

` {{#set:Feature open issues and risks=` |Feature overview=Intranet CSRF Blocker enables Firefox to be aware of the source of network loads for sub-document resources, such as images, iframes, XHR, etc., and to use this extra context to decide if the network load should be permitted. The goal of this feature is to prevent web pages on the public Internet from causing a user's browser to send requests to resources residing on a private network. |Feature users and use cases=RFC 1918 defines the set of CIDR blocks which are not publicly addressable from the Internet and which are generally used to address hosts found on private home or enterprise networks. Included in this range are: 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8.

Starting around 2006, security researchers, notably Jeremiah Grossman and Robert Hansen, began pointing out an architectural weakness in the Web that allowed (untrusted) websites on the public Internet to cause requests to be sent to hosts on these private networks, which would otherwise be protected by NAT. Malicious requests of this type can be used by an attacker for: port scanning internal networks, reconfiguring home routers, sending print jobs to network printers, and CSRF to applications that use network access as authentication.

For more background, see:

|Feature dependencies=See related bug 354493. Dependencies:

Full Query
ID Summary Status
255107 Prevent data: URLs from being used for XSS RESOLVED
584155 Add a scriptable SOCKS proxy server to allow testing of SOCKS client code RESOLVED
585191 Enable SOCKS proxy server in mochitests RESOLVED
1041420 Failures in all mozmill tests that uses localhost address RESOLVED
1041511 Can't access 'localhost:port' while on a remote page once bug 354493 was landed RESOLVED
1042157 Cant find local servers when Home Page is set RESOLVED
1042497 Unable to find the proxy server in tab where proxy is set after it's opened RESOLVED
1481298 [meta] Local Network Access NEW

8 Total; 1 Open (12.5%); 7 Resolved (87.5%); 0 Verified (0%);

|Feature requirements=` |Feature non-goals=The reverse case, where a web page on a private network sends requests for non-private resources, is common and is not considered an attack case that we are trying to prevent. |Feature functional spec=` |Feature ux design=` |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=` |Feature landing criteria=` }}

Feature details

Priority P2
Rank 999
Theme / Goal Product Hardening
Roadmap Security
Secondary roadmap `
Feature list `
Project `
Engineering team Networking

{{#set:Feature priority=P2

|Feature rank=999 |Feature theme=Product Hardening |Feature roadmap=Security |Feature secondary roadmap=` |Feature list=` |Feature project=` |Feature engineering team=Networking }}

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `

{{#set:Feature products status=`

|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}