Intent to Ship - sandbox-"allow-downloads"

[Sebastian Streich]

Intent to Ship - sandbox-"allow-downloads"
Summary:
Firefox 82 will start to block downloads that are initiated by sandboxed
iframes unless the embedder has opted in via setting the “allow-download”
sandbox-flag.

Bug:

Bugzilla 1558394 

Standards:

   - whatwg/attr-iframe-sandbox-allow-downloads
   

   
   - whatwg/#allowed-to-download
   

Platform coverage:

all platforms

Estimated or target release:

Firefox 82

Preference:

This feature is controlled via:

dom.block_download_in_sandboxed_iframes

web-platform-tests:

This feature is covered by wpt tests.

Other browsers:

Safari: no support

Chrome : Shipped
with Chrome 83


Secure contexts:

This feature isn’t restricted to Secure Contexts.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to Ship - Support XCTO: nosniff for navigations

[Sebastian Streich]

Currently the Support for “X-Content-Type-Options: nosniff“ is limited to
CSS and JS resources. In Firefox 70 I intend to enable nosniff support for
page navigations by default.

If a server's response does not include any mime-type but sets the response
header "XCTO: nosniff" then Firefox will prompt the user to download the
file instead of trying to sniff the mime-type, eliminating the attack
vector of so called mime-confusion attacks.

Supporting XCTO: nosniff not only for JS and CSS but also for top-level
navigations will create parity with other browsers (Chrome, Safari) who are
already supporting XCTO: nosniff for navigations.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1428473

Link to standard:
https://fetch.spec.whatwg.org/#x-content-type-options-header

Platform coverage: This will be exposed to all platforms.

Estimated or target release: Firefox 70

Is this feature enabled by default in sandboxed iframes? N/A

DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1571415

Do other browser engines implement this? Yes
Secure contexts: This feature isn’t restricted to Secure Contexts.


Bug implementing and enabling this feature:

   -

   https://bugzilla.mozilla.org/show_bug.cgi?id=1469592
   -

   https://bugzilla.mozilla.org/show_bug.cgi?id=1570658
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to Implement- Double-keyed HTTP cache

[Sebastian Streich]

Intent to Implement- Double-keyed HTTP cache


Summary:

Currently Browsers are vulnerable to cache-timing attacks, commonly
referred to as XS Leaks attacks. Starting with Firefox 70 we want to
explore a double-keyed HTTP cache. Instead of solely using the origin of
the resource, we will double key the HTTP Cache using the top-level origin.
Using the top-level origin as the 2nd Key in the HTTP Cache allows to
counterfeit XS Leaks and eliminates the ability of checking cache contents
across Origins.

Bug:  Bugzilla 1536058


Standard: https://github.com/whatwg/fetch/issues/904

Platform coverage: all platforms

Estimated or target release: Firefox 70

Preference: The feature will be pref'd behind
“browser.cache.cache_isolation”

 and disabled by default.

Other browsers:

webkit: shipped

Chrome :
implementing

web-platform-tests: 

Secure contexts:  This feature isn’t restricted to Secure Contexts.
Estimated or target release: Firefox 70
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to unship: CSP “require-sri-for” Support

[Sebastian Streich]

Summary:

In bug 1386214 we are planning to remove the Code for the "require-sri-for”
CSP directive.

The “require-sri-for” directive allows developers to block resource
requests that do not contain integrity metadata.

Please note that the entire code has always been behind a pref
(security.csp.experimentalEnabled) and we never shipped ‘require-sri-for’
by default.

Chrome also has flagged the feature as experimental and it seems they plan
to remove the code as well. See:
https://bugs.chromium.org/p/chromium/issues/detail?id=618924

We’re planning to remove the Feature in FF 69.


Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1386214

Link to standard: https://w3c.github.io/webappsec-subresource-integrity/



Thanks

 -- Sebastian
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform