Closed Bug 1153423 (nsec-csp) Opened 6 years ago Closed 5 years ago

[META] Tracking bug for CSP implementation of New Security Model

Categories

(Core :: DOM: Security, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX
Future

People

(Reporter: jgong, Assigned: ethan)

References

Details

(Whiteboard: [newsecurity][domsecurity-meta])

User Story

This is a V3 initiative for a New Security Model.  https://wiki.mozilla.org/FirefoxOS/New_security_model

This Meta Bug is for tracking the "CSP" implementation, a sub-component of the bigger New Security Model project. https://wiki.mozilla.org/FirefoxOS/New_security_model#CSP

*****
We need to make sure that it can't load scripts from outside of the signed package. And we need to make sure that it can't use inline scripts.

The plan is to use the CSP code to accomplish this. We can mainly leverage existing code which enables applying a default CSP policy to certain content. We'll use this to apply a default CSP to all signed content similarly to how we currently apply a default CSP to all privileged apps.

We'll also need to extend it to enable it to enforce loads to happen "from same package", rather than just "from same origin".
This is a V3 initiative for a New Security Model.  https://wiki.mozilla.org/FirefoxOS/New_security_model

This Meta Bug is for tracking the "CSP" implementation, a sub-component of the bigger New Security Model project. https://wiki.mozilla.org/FirefoxOS/New_security_model#CSP
User Story: (updated)
Summary: [META] Tracking bug for Signing implementation of New Security Model → [META] Tracking bug for CSP implementation of New Security Model
No longer depends on: nsec-signing
Blocks: 1153421
Blocks: nsec-signing
No longer blocks: 1153421
No longer blocks: nsec-signing
Blocks: nsec
Blocks: nsec-signing
Blocks: nsec-origins
Blocks: nsec-sw
No longer depends on: nsec-installing
No longer blocks: nsec-installing
Depends on: nsec-installing
Blocks: nsec-signing
No longer depends on: nsec-signing
Blocks: nsec-verify
No longer depends on: nsec-verify
No longer blocks: nsec-signing, nsec-verify
Product: Firefox → Core
Blocks: 1153449
Whiteboard: [NewSecurity] → [newsecurity]
Priority: -- → P1
I will be in charge of this bug.
Assignee: nobody → ettseng
Depends on: 1181137
blocking-b2g: --- → 2.5+
Status: NEW → ASSIGNED
Target Milestone: --- → FxOS-S10 (30Oct)
blocking-b2g: 2.5+ → ---
Moving this one over to DOM:Security, since it's related to CSP!
Component: Security → DOM: Security
Whiteboard: [newsecurity] → [newsecurity][domsecurity-meta]
All child bugs of this bug were either fixed or resolved wontfix. Should we still track this meta bug?
Priority: P1 → --
Target Milestone: FxOS-S10 (30Oct) → Future
Close this bug since New Security Model project was stopped.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.