Closed Bug 199996 Opened 22 years ago Closed 22 years ago

Allow browser to lock down a page or site

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 199825

People

(Reporter: wolruf, Assigned: security-bugs)

Details

Security idea: mozilla loads a SSL page, everything included in the page (iframe, img src, js, etc.) loaded from another HTTP site not using the same certificate is rejected. User would get a warning popup that site will use a special security mode allowing the page to only download content from the site he's loaded the main page from. Possibility to have a whitelist so that you could re-enable more sites to download content from, on a per-object basis Possible usage: implement a new HTTP header X-Lockdown ? (from kirun on #mz) Background idea: the browser is the client, webmail and many management apps are using it and manipulating uncontrolled user data, it's nearly impossible to secure a webmail client totally, malicious users always discover a new flaw (search XSS on Google for examples). This is pushing the concept of mixed mode content a bit further. Filed as a RFE as it'd require to implement something new in Mozilla (and in web apps of course). Similar to what Mozilla does with Link Prefetching.
Strange, to get the same request twice today... *** This bug has been marked as a duplicate of 199825 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
I was trying to add even more ideas about it which would go further (whitelist, etc.), shall I comment in the other bug report then ? The main apps using it would be: webmail, web applications generally speaking (there're plenty, and expensive ones !)
Yes, please continue the discussion in the other bug.
v
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.