There was a request in the weekly status meeting yesterday to mention
any features you are working on for Firefox 3. I don't know whether that
only means features in the PRD, but anyway, I plan to implement Content
Restrictions for Firefox 3.
http://www.gerv.net/security/content-restrictions/
The idea is to provide a good "backstop" for when XSS holes are found in
websites. Nothing short of disabling JavaScript, bug-free server-side
code or reading the web designer's mind can fully protect against XSS,
but I think this gives designers a good second shot at mitigating the
impact if a hole is found.
If you've read it before, please have another look. I've removed a lot
of restriction types on the basis that they were making promises I don't
think we could keep. The new proposal is therefore a lot simpler.
The spec has been designed to be easy to implement, according to my
(certainly imperfect) knowledge of the Mozilla security capabilities
model, and to have no requirement for end user interaction.
I plan to implement it in stages, with the higher-value restrictions
first. Those are the ones listed first in the document. It could be that
some of the restrictions are hard to implement or aren't useful in
practice; we'll discover this as we go along.
Further comments on the spec would be welcome.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
