-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
Network security project
Josh Matthews edited this page Oct 8, 2016
·
2 revisions
Background information: Servo supports HTTP cookies and parts of the Referrer-Policy web standard. The goal of this project is to implement newer, more secure standards, and complete missing pieces of existing ones, in order to increase the security available to users of the Servo browser. The work will encompass adding "strict" variations of existing referrer policies, implementing a maximum number of cookies per host, and restricting insecure cookies from overwriting secure ones.
Initial steps:
- compile Servo and ensure that it runs on
tests/html/about-mozilla.html
- email the mozilla.dev.servo mailing list (be sure to subscribe first!) introducing your group and asking any necessary questions
- implement strict-origin and strict-origin-when-cross-origin referrer policies (see
determine_request_referrer
anddetermine_policy_for_token
) -
support multiple policy values in(this task was completed independently)Referrer-Policy
HTTP header per the specification - add support for the new strict policy values in the
Referrer-Policy
HTTP header (source) - add tests for the new policy values in
tests/unit/net/http_loader.rs
(run with./mach test-unit -p net
)
Subsequent steps:
- redesign
CookieStorage
to store cookies in aHashMap
where the key is the base domain of the cookie's source (ie. "www.google.co.uk" becomes "google.co.uk") - store a
max_per_host
limit inCookieStorage
that is checked when adding new cookies; evict the oldest cookie if the limit is reached (add tests totests/unit/net/cookie.rs
) - implement the Leave Secure Cookies Alone specification - ensure that newly created insecure cookies cannot override existing secure cookies (add tests to
tests/unit/net/cookie.rs
)