Warning: This page is no longer maintained. Please see SecurityEngineering/Roadmap for current projects

This page once listed the security features under development and our plans for deployment.

Status Overview

Projects

This is intended to summarize the status and basic goals of each project, and not serve as an ultimate authority on each of the features.

SEE ALSO: Privacy/Features/

Origin Header / Sec-From

Beginning as an Security/Origin header that aimed to prevent clickjacking as well as CSRF and JSON data theft, this feature has evolved into Security/Sec-From that will not prevent clickjacking, but can be compatible with various other specifications for similar HTTP request headers.

Design: Done (6/18/2009) Discussion over the behavior and uses of Sec-From has been ongoing.

Tasks:

• [DONE] Write up an informal spec Security/Origin
• [DONE] Unify spec with Adam Barth's Internet Draft [1].
• [DONE] Unify with CORS "Origin" or pick a new header name to avoid incompatibility. Reworked as Security/Sec-From.

Such an "Origin" header is also mentioned in HTML 5 [2].

Goals:

• Provide a reliably present "referrer" that
  • has minimal potential for privacy leak
  • reflects all redirects participating in the request
• aid in detecting CSRF attempts
• aid in preventing JSON data theft

Discussion: In Progress

We've synced up with Adam Barth and settled on a design. He is working with the CORS folks to see if his proposal can be unified with the Origin header they send.

http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0057.html

discussion about renaming from "Origin"

Tasks:

• [DONE] Settle on a design. Security/Sec-From
• [ON TRACK] Initiate public discussion on newsgroups and other public forums

Review and Standardization: In Progress. ETA: ?

Tasks:

• [DONE] Find appropriate standards body to review this feature (IETF).
• [DONE] Submit to standards body. (Adam is leading this)

Prototype: Not Started. ETA: Q4 2009

Tasks:

• [ON TRACK] create add-on that appropriately serves this header.
• [ON TRACK] create test suite that verifies values and presence of the header.

Implementation: Not Started. ETA: ?

Tasks:

• [ON TRACK] patch mozilla-central
• [ON TRACK] convert prototype test suite to automated tests

Content Security Policy

Design: In Progress. ETA: Q3 2009

Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities including Cross Site Scripting.

The CSP spec has been iterated upon many times and is approaching a stable configuration.

Goals

• (Primary) Mitigate Cross Site Scripting (XSS)
• Mitigate Clickjacking
• Mitigate Packet Sniffing Attacks
• Backward Compatibility with sites not employing CSP

Tasks:

• [DONE] create specification Security/CSP/Spec
• [ON TRACK] write up example use cases

Discussion: In Progress.

Public discussion of the CSP design and specification has taken place in mozilla.dev.security. CSP is generally discussed as a good idea, and the discussion has evolved into a compatibility, deployment and small edge-case discussion.

Tasks:

• [DONE] discuss Security/CSP/Spec spec in public forums
• [DONE] get feedback (rinse, repeat) until comments are trivial
• [DONE] come to decision about whether or not to support meta tags (not supporting)
• [DONE] come to decision about whether or not to support multiple HTTP headers

Review and Standardization: In Progress. ETA: ?

Appropriate paths for standardization and external review are being explored.

Tasks:

• [ON TRACK] find a standards body that should review CSP
• [ON TRACK] submit formal spec for review/feedback

Prototype: Done. (8/2008)

Prototype implementation was completed in August 2008. It implements an old version of CSP and does not provide the base restrictions.

Tasks:

• [DONE] create add-on that enforces policies (minus base restrictions)

Implementation: In Progress. ETA: Q3 2009

CSP as specified is being implemented on mozilla-central and is aimed for landing in Q3 2009. It can be followed in bug 493857.

Tasks:

• [DONE] make patch to parse CSP policy in headers
• [DONE] make patch to enforce CSP policy directives
• [DONE] make patch to report policy violations
• [DONE] make patch to implement base restriction enforcements
• [DONE] land patch on trunk
• [ON TRACK] create document explaining how to write a good policy
• [ON TRACK] create document explaining how to convert a site to support CSP
• [DONE] create server-based test suite (for other UAs who implement CSP)

ForceTLS / Strict-Transport-Security

Design: Done (6/18/2009) http://forcetls.sidstamm.com/

Tasks:

• [DONE] spec out syntax -- JeffH drove this

Goals

• Allow sites to "default" to HTTPS
• Help prevent MITM due to HTTPS stripping (re-serving sites as HTTP instead of HTTPS).

Discussion: In Progress.

The topic is pretty much simple and the edge cases have mostly been taken care of. Any remaining issues will be exposed in the standardization process.

Tasks:

• [DONE] lead internal discussion about use/feature set -- JeffH drove this
• [ON TRACK] discuss in a public forum

Review and Standardization: In Progress. See Strict Transport Security for details.

Tasks:

• [ON TRACK] IETF
• [ON TRACK] W3C? (Currently submitted here by Paypal)

Prototype: Done. (6/2009)

https://addons.mozilla.org/en-US/firefox/addon/12714

Tasks:

• [DONE] implement with tree-based host searching and SQLite client-side data storage
• [DONE] write up summary of how to use the add-on
• [DONE] submit to AMO for screening and public dissemination

Implementation: Done. (8/2010)

Tasks:

• [DONE] convert prototype to C++ -- partially in JS, see bug 495115
• [DONE] pick optimal location to scan for header
• [DONE] write unit tests
• [DONE] land on trunk

Process Isolation

Design: In Process.

https://wiki.mozilla.org/Electrolysis

Goals

• Create infrastructure to allow process separation within Firefox
• Put plugins in a separate process for stability reasons
• Create separate content processes for stability and performance reasons
• Implemented isolated processes to reduce the damage for various types of vulnerabilities

Tasks

• [DONE] Phase 1 (bootstrap)
• [DONE] IPC_Protocols design
• [ON TRACK] Out of process plugins
• [ON TRACK] Multi-process tabs
• [ON TRACK] Phase 3 (Extensions, Compatibility and Performance)
• [ON TRACK] Phase 4 (Multiple content processes)

Discussion: In Process.

tasks

• [DONE] Set up IRC channel and newsgroup locations for communication on this feature. Electrolysis#Communication
• [DONE] Develop threat model

Review and Standardization:

• IPD: https://wiki.mozilla.org/IPDL
• Pepper API could allow for sandboxed plugins: https://wiki.mozilla.org/Plugins:PlatformIndependentNPAPI

Prototype: In Process.

• Build Instructions for Prototype

Implementation:

Phases https://wiki.mozilla.org/Electrolysis#Implementation

• Plugin process separation - due to ship in Lorentz
• Out of process tabs - in process
• Add-on multi-process support and compatibility
• Performance, caching, process pools
• Sandboxing, of content processes and hopefully plugins

X-Frame-Options

Design: Done.

Goals

• Allow sites to specify how they may be enframed
• Help prevent Clickjacking
• Be compatible with IE/WebKit implementations

Discussion: In Process.

tasks

• [DROPPED] Discuss extensions of XFO with other implementation bodies (e.g., whole-tree-walking, etc.)
• [DONE] Make sure this will work along side [Security/CSP]

Review and Standardization:

There does not exist a formal specification. Eric Lawrence's blog post on X-Frame-Options serves as the closest thing to a spec.

Prototype: None.

Implementation: Done (see bug 4755300).

Tasks

• [DONE] Design Behavior
• [DONE] Implement Patch
• [DONE] Implement Unit Tests
• [DONE] Get reviewed and land on trunk