Intent to Ship - sandbox-"allow-downloads"

2020-09-02 Thread Sebastian Streich
Intent to Ship - sandbox-"allow-downloads" Summary: Firefox 82 will start to block downloads that are initiated by sandboxed iframes unless the embedder has opted in via setting the “allow-download” sandbox-flag. Bug: Bugzilla 1558394

Intent to Ship - Support XCTO: nosniff for navigations

2019-09-05 Thread Sebastian Streich
Currently the Support for “X-Content-Type-Options: nosniff“ is limited to CSS and JS resources. In Firefox 70 I intend to enable nosniff support for page navigations by default. If a server's response does not include any mime-type but sets the response header "XCTO: nosniff" then Firefox will

Intent to Implement- Double-keyed HTTP cache

2019-08-21 Thread Sebastian Streich
Intent to Implement- Double-keyed HTTP cache Summary: Currently Browsers are vulnerable to cache-timing attacks, commonly referred to as XS Leaks attacks. Starting with Firefox 70 we want to explore a double-keyed HTTP cache. Instead of solely using the origin of the resource, we will double

Intent to unship: CSP “require-sri-for” Support

2019-04-01 Thread Sebastian Streich
Summary: In bug 1386214 we are planning to remove the Code for the "require-sri-for” CSP directive. The “require-sri-for” directive allows developers to block resource requests that do not contain integrity metadata. Please note that the entire code has always been behind a pref