Closed Bug 199996 Opened 21 years ago Closed 21 years ago

Allow browser to lock down a page or site

Categories

(Core :: Security, enhancement)

x86
Linux
enhancement
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 199825

People

(Reporter: wolruf, Assigned: security-bugs)

Details

Security idea: mozilla loads a SSL page, everything included in the page
(iframe, img src, js, etc.) loaded from another HTTP site not using the same
certificate is rejected.

User would get a warning popup that site will use a special security mode
allowing the page to only download content from the site he's loaded the main
page from.

Possibility to have a whitelist so that you could re-enable more sites to
download content from, on a per-object basis

Possible usage: implement a new HTTP header X-Lockdown ? (from kirun on #mz)

Background idea: the browser is the client, webmail and many management apps are
using it and manipulating uncontrolled user data, it's nearly impossible to
secure a webmail client totally, malicious users always discover a new flaw
(search XSS on Google for examples).
This is pushing the concept of mixed mode content a bit further.

Filed as a RFE as it'd require to implement something new in Mozilla (and in web
apps of course). Similar to what Mozilla does with Link Prefetching.
Strange, to get the same request twice today...

*** This bug has been marked as a duplicate of 199825 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
I was trying to add even more ideas about it which would go further (whitelist,
etc.), shall I comment in the other bug report then ?
The main apps using it would be: webmail, web applications generally speaking
(there're plenty, and expensive ones !)
Yes, please continue the discussion in the other bug.
v
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.