Security/Android/Capability-Matrix: Difference between revisions
(Created page with "= About = A comparison of security features for various Android mobile browsers = Capability Matrix =") |
|||
| Line 3: | Line 3: | ||
= Capability Matrix = | = Capability Matrix = | ||
{ class="wikitable sortable" border="1" | |||
| align="center" style="background:#f0f0f0;"|'''Feature''' | |||
| align="center" style="background:#f0f0f0;"|'''Fennec''' | |||
| align="center" style="background:#f0f0f0;"|'''Leading, Neutral, Trailing''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 2.2.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 2.3.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 3.0.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 3.1.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 3.2.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Android 4.0.x''' | |||
| align="center" style="background:#f0f0f0;"|'''Chrome''' | |||
| align="center" style="background:#f0f0f0;"|'''Notes''' | |||
|- | |||
| HTTPOnly cookie attribute||Yes||Leading||No||No||No||No|| ||Yes||Yes|| | |||
|- | |||
| Secure cookie attribute||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes||Yes|| | |||
|- | |||
| STS||Yes||Leading||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| X-Frame-Options||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Origin header 446344 (2011-01-05) ||No||Trailing||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Browserscope tests | |||
|- | |||
| postMessage||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| JSON.parse||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| toStaticHTML 443564 (2008-10-06) ||No||Neutral||No||No||No||No|| ||No||No|| | |||
|- | |||
| X-Content-Type-Options 471020 (2012-06-04) ||No||Neutral||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| Block reflected XSS 528661 (2012-06-04) ||No||Neutral||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| Block location spoofing||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block JSON Hijacking||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block XSS in CSS||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| iFrame sandbox attribute 341604 (2012-06-04) ||No||Trailing||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block cross-origin CSS attacks||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Content Security Policy||Yes||Leading||No||No||No||No|| ||No||Yes|| | |||
|- | |||
| CORS||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Block visited link sniffing||Yes||Neutral||No||No||Yes||Yes|| ||Yes||Yes|| | |||
|- | |||
| Other | |||
|- | |||
| Do Not Track||Yes||Leading||No||No||No||No||No||No||No|| | |||
|- | |||
| Private browsing 582244 (2012-01-09) ||No||Trailing||No||No||Yes||Yes||Yes||Yes*||Yes||It's there but it's hard to find. Go "new tab" then hit the menu button | |||
|- | |||
| Process Sandboxing 730956 (2012-04-19) ||No||Neutral||No||No||No||No||No*||?||Yes||Based on Alex Russell's comments here: http://www.quora.com/Google-Chrome/Is-the-browser-in-Android-Honeycomb-Chrome-And-if-so-what-version-is-it | |||
|- | |||
| Master password||Yes||Leading||No||No||No||No||No||No|| || | |||
|- | |||
| CA Pinning 744204 (2012-04-10)||No|| || || || || || || ||Yes||Android - almost certainly not (not even market / play uses pinning). I've been trying to come up with a good test for this today - so far I've failed miserably | |||
|- | |||
| Click to Play||Yes||Leading||No||No||No||No||No||No|| ||Android default for plugins is "Always on". There are options for "Always on" "On demand" and "Off" | |||
|- | |||
| Javascript controls||No**||Trailing||Yes||Yes||Yes||No||Yes||Yes|| ||Fennec has no option to disable JS in UI. Can change javascript.enabled in about:config. Android JS can be disabled, defaults to enabled | |||
|- | |||
| Cookie controls||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||No individual option for clearing, Fennec data clearing is under Clear private data. Android cookie storage is enabled by default. Cookies can be cleared. | |||
|- | |||
| Password controls||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||No individual option for clearing. Fennec data clearing is under Clear private data. Passwords are saved by default in android. Stored passwords can be cleared. | |||
|- | |||
| Security warnings||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||Fennec has no option for Security warnings, but they are enabled by default. Security warnings are enabled by default on Android | |||
|- | |||
| Permissions manager?||Yes?||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||Fennec has option for "Clear site settings" didn't see a more granular option. 4.0.3 Settings->Advanced->Website Settings allows you to clear individual settings/data per website (e.g. localstorage, geolocation) | |||
|- | |||
| SNI (Server Name Indication)||Yes||Neutral||No||No||Yes||Yes||Yes||Yes||Yes|| | |||
|} | |||
Revision as of 18:45, 1 April 2013
About
A comparison of security features for various Android mobile browsers
Capability Matrix
{ class="wikitable sortable" border="1" | align="center" style="background:#f0f0f0;"|Feature | align="center" style="background:#f0f0f0;"|Fennec | align="center" style="background:#f0f0f0;"|Leading, Neutral, Trailing | align="center" style="background:#f0f0f0;"|Android 2.2.x | align="center" style="background:#f0f0f0;"|Android 2.3.x | align="center" style="background:#f0f0f0;"|Android 3.0.x | align="center" style="background:#f0f0f0;"|Android 3.1.x | align="center" style="background:#f0f0f0;"|Android 3.2.x | align="center" style="background:#f0f0f0;"|Android 4.0.x | align="center" style="background:#f0f0f0;"|Chrome | align="center" style="background:#f0f0f0;"|Notes |- | HTTPOnly cookie attribute||Yes||Leading||No||No||No||No|| ||Yes||Yes|| |- | Secure cookie attribute||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes||Yes|| |- | STS||Yes||Leading||No||No||No||No|| ||No||Yes|| |- | X-Frame-Options||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Origin header 446344 (2011-01-05) ||No||Trailing||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Browserscope tests |- | postMessage||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | JSON.parse||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | toStaticHTML 443564 (2008-10-06) ||No||Neutral||No||No||No||No|| ||No||No|| |- | X-Content-Type-Options 471020 (2012-06-04) ||No||Neutral||No||No||No||No|| ||No||Yes|| |- | Block reflected XSS 528661 (2012-06-04) ||No||Neutral||No||No||No||No|| ||No||Yes|| |- | Block location spoofing||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Block JSON Hijacking||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Block XSS in CSS||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | iFrame sandbox attribute 341604 (2012-06-04) ||No||Trailing||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Block cross-origin CSS attacks||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Content Security Policy||Yes||Leading||No||No||No||No|| ||No||Yes|| |- | CORS||Yes||Neutral||Yes||Yes||Yes||Yes|| ||Yes||Yes|| |- | Block visited link sniffing||Yes||Neutral||No||No||Yes||Yes|| ||Yes||Yes|| |- | Other |- | Do Not Track||Yes||Leading||No||No||No||No||No||No||No|| |- | Private browsing 582244 (2012-01-09) ||No||Trailing||No||No||Yes||Yes||Yes||Yes*||Yes||It's there but it's hard to find. Go "new tab" then hit the menu button |- | Process Sandboxing 730956 (2012-04-19) ||No||Neutral||No||No||No||No||No*||?||Yes||Based on Alex Russell's comments here: http://www.quora.com/Google-Chrome/Is-the-browser-in-Android-Honeycomb-Chrome-And-if-so-what-version-is-it |- | Master password||Yes||Leading||No||No||No||No||No||No|| || |- | CA Pinning 744204 (2012-04-10)||No|| || || || || || || ||Yes||Android - almost certainly not (not even market / play uses pinning). I've been trying to come up with a good test for this today - so far I've failed miserably |- | Click to Play||Yes||Leading||No||No||No||No||No||No|| ||Android default for plugins is "Always on". There are options for "Always on" "On demand" and "Off" |- | Javascript controls||No**||Trailing||Yes||Yes||Yes||No||Yes||Yes|| ||Fennec has no option to disable JS in UI. Can change javascript.enabled in about:config. Android JS can be disabled, defaults to enabled |- | Cookie controls||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||No individual option for clearing, Fennec data clearing is under Clear private data. Android cookie storage is enabled by default. Cookies can be cleared. |- | Password controls||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||No individual option for clearing. Fennec data clearing is under Clear private data. Passwords are saved by default in android. Stored passwords can be cleared. |- | Security warnings||Yes||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||Fennec has no option for Security warnings, but they are enabled by default. Security warnings are enabled by default on Android |- | Permissions manager?||Yes?||Neutral||Yes||Yes||Yes||Yes||Yes||Yes|| ||Fennec has option for "Clear site settings" didn't see a more granular option. 4.0.3 Settings->Advanced->Website Settings allows you to clear individual settings/data per website (e.g. localstorage, geolocation) |- | SNI (Server Name Indication)||Yes||Neutral||No||No||Yes||Yes||Yes||Yes||Yes|| |}