We should implement some kind of security zones. Basically the idea is to have a pref where the user can state his intranet domains. These domains are protected so that any communication from outside these domains can not reach them. This is the "incoming" security zone, or intranet zone. This would make it harder to use the browser as a way to bypass the firewall if some security exploit was found. We should also implement an outgoing security zone. This should perhaps be made into a separate bug, but we can break this out later. Basically we have limited, or will limit, what external resources can be loaded from a document. The idea of the outgoing security zone, or trusted sites, is that you could list domains or sites that you trust a bit more than the average page out there, and would allow more external resources to be loaded from those sites/domains.
In my opinion, not exactly. The first bug you mentioned was huge, so I did not read it completely, but my impression was that it is simply a bug for implementing UI for the various EXISTING security prefs. What I am proposing here is new prefs, at least some of which seem to be similar to IE security zones (but I am not sure if 100% the same).
*** Bug 177649 has been marked as a duplicate of this bug. ***
Chris is going to work on this, reassigning.
Assignee: mstoltz → caillon
Target Milestone: --- → mozilla1.5alpha
15 years ago
Depends on: 83536
I am wondering if this bug should be divided into two? "incoming" security zones: I don't really know what this is from the descriptions. Are we talking about client-side scripting here where a Java program has launched that is allowing connections into it? I don't quite see how a configuration option can affect that given the Java program can simply change the configuration settings itself easily. The only real security is to not launch the malware in the first place which seems to be dealt with in the "outgoing" security zones concept. "outgoing" security zones: similar to what IE has where on a per-domain and/or per-public-key (for SSL sites, signed email, etc) basis you can turn different browser features on-and-off. I would like to be able to have this configurable down to the "which plug-ins are enabled" if that is possible to do. There are sites where I think client-side scripting is safe, but would want my default security zone to have all client-side scripting (which means plug-ins such as Flash/RealAudio as well as Java, ECMAScript, etc) disabled.
Assignee: caillon → security-bugs
Target Milestone: mozilla1.5alpha → ---
We need a better term than "zone" here. IE has "zones" which are quite different.
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
You need to log in before you can comment on or make changes to this bug.