Security/Features/SameDomainCookie
Status
| Same Domain Cookies | |
| Stage | Draft |
| Status | In progress |
| Release target | Firefox 20 |
| Health | OK |
| Status note | https://bugzilla.mozilla.org/show_bug.cgi?id=795346 |
{{#set:Feature name=Same Domain Cookies
|Feature stage=Draft |Feature status=In progress |Feature version=Firefox 20 |Feature health=OK |Feature status note=https://bugzilla.mozilla.org/show_bug.cgi?id=795346 }}
Team
| Product manager | ` |
| Directly Responsible Individual | Mark Goodwin |
| Lead engineer | ` |
| Security lead | ` |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
{{#set:Feature product manager=`
|Feature feature manager=Mark Goodwin |Feature lead engineer=` |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}
Open issues/risks
`
Stage 1: Definition
1. Feature overview
SameDomain cookie is a CSRF prevention measure
The mechanism consists of a new cookie flag (tentatively called SameDomain) which, when set, instructs the browser to only send the cookie when the cookie domain attribute matches the domain of the referring URI. Aside from this restriction, browser should behave exactly as they would otherwise.
2. Users & use cases
`
3. Dependencies
`
4. Requirements
The goal of this feature is to provide a robust CSRF protection mechanism which is simple to understand and easy for site owners to implement. (more detail to follow)
Non-goals
`
Stage 2: Design
5. Functional specification
`
6. User experience design
There should be little or no user-visible associated with this feature.
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
` {{#set:Feature open issues and risks=` |Feature overview=SameDomain cookie is a CSRF prevention measure
The mechanism consists of a new cookie flag (tentatively called SameDomain) which, when set, instructs the browser to only send the cookie when the cookie domain attribute matches the domain of the referring URI. Aside from this restriction, browser should behave exactly as they would otherwise. |Feature users and use cases=` |Feature dependencies=` |Feature requirements=The goal of this feature is to provide a robust CSRF protection mechanism which is simple to understand and easy for site owners to implement. (more detail to follow) |Feature non-goals=` |Feature functional spec=` |Feature ux design=There should be little or no user-visible associated with this feature. |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=` |Feature landing criteria=` }}
Feature details
| Priority | P3 |
| Rank | 999 |
| Theme / Goal | ` |
| Roadmap | Security |
| Secondary roadmap | Platform |
| Feature list | ` |
| Project | ` |
| Engineering team | ` |
{{#set:Feature priority=P3
|Feature rank=999 |Feature theme=` |Feature roadmap=Security |Feature secondary roadmap=Platform |Feature list=` |Feature project=` |Feature engineering team=` }}
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | sec-review-unnecessary | should be floated as spec |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |
{{#set:Feature products status=`
|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=sec-review-unnecessary |Feature security health=OK |Feature security notes=should be floated as spec |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}
Original writeup is here: http://people.mozilla.org/~mgoodwin/OriginOnly/