Status

()

Core
Security
--
enhancement
16 years ago
11 years ago

People

(Reporter: Heikki Toivonen (remove -bugzilla when emailing directly), Assigned: dveditz)

Tracking

(Blocks: 2 bugs)

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

We should implement some kind of security zones.

Basically the idea is to have a pref where the user can state his intranet
domains. These domains are protected so that any communication from outside
these domains can not reach them. This is the "incoming" security zone, or
intranet zone. This would make it harder to use the browser as a way to bypass
the firewall if some security exploit was found.

We should also implement an outgoing security zone. This should perhaps be made
into a separate bug, but we can break this out later. Basically we have limited,
or will limit, what external resources can be loaded from a document. The idea
of the outgoing security zone, or trusted sites, is that you could list domains
or sites that you trust a bit more than the average page out there, and would
allow more external resources to be loaded from those sites/domains.
Is this not bug 38966 (via bug 115789) ?
In my opinion, not exactly. The first bug you mentioned was huge, so I did not
read it completely, but my impression was that it is simply a bug for
implementing UI for the various EXISTING security prefs. What I am proposing
here is new prefs, at least some of which seem to be similar to IE security
zones (but I am not sure if 100% the same).

Updated

16 years ago
OS: Windows 2000 → All
Hardware: PC → All
*** Bug 177649 has been marked as a duplicate of this bug. ***
Chris is going to work on this, reassigning.
Assignee: mstoltz → caillon
Target Milestone: --- → mozilla1.5alpha

Comment 5

15 years ago
I am wondering if this bug should be divided into two?

"incoming" security zones:  I don't really know what this is from the
descriptions.  Are we talking about client-side scripting here where a Java
program has launched that is allowing connections into it?  I don't quite see
how a configuration option can affect that given the Java program can simply
change the configuration settings itself easily.  The only real security is to
not launch the malware in the first place which seems to be dealt with in the
"outgoing" security zones concept.


"outgoing" security zones: similar to what IE has where on a per-domain and/or
per-public-key (for SSL sites, signed email, etc) basis you can turn different
browser features on-and-off.  I would like to be able to have this configurable
down to the "which plug-ins are enabled" if that is possible to do.  There are
sites where I think client-side scripting is safe, but would want my default
security zone to have all client-side scripting (which means plug-ins such as
Flash/RealAudio as well as Java, ECMAScript, etc) disabled.
Assignee: caillon → security-bugs
Target Milestone: mozilla1.5alpha → ---
We need a better term than "zone" here. IE has "zones" which are quite 
different.

Updated

13 years ago
Blocks: 309310
(Assignee)

Updated

12 years ago
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit

Updated

11 years ago
Blocks: 371598

Updated

11 years ago
Blocks: 318775
You need to log in before you can comment on or make changes to this bug.