Hi folks, For those who don't know me, I'm a Security Engineer working on Firefox OS (mostly Gaia and Gecko things). I have been pursuing a security goal for quite some time now but haven't yet announced this to throughout the project.
A few months ago I had the idea to add a Content Security Policy (CSP) to our internal pages, like about:newtab for example. This is a "defense in depth" mechanism which can prevent Cross-Site Scripting (XSS) flaws in chrome context (i.e., in privileged pages) being exploited. These simple XSS oversights in privileged pages would mean complete code execution on the system of the victim! The benefit is therefore quite clear and there have been multiple issues with script and other injections in the past. To move on, all affected pages have to be modified so that stylesheets and JavaScript live in different documents. This means moving inline styles style tags and attributes, script tags and event attributes (e.g., onclick, onload) into separate documents. The good thing is that most of these changes are just tiny patches which can be handed out to volunteers and new contributors: We have already made some progress and rewrote some of those files (thanks to so many volunteers). I filed "good first bugs" (linked to the tracking bug 923920) and the current progress is well documented on the wiki (link below). What I am asking of you is quite simple: * If you have some spare time, file additional bugs and link them to the tracking bug 923920 * If you are a module peer, consider to require that updated and new internal pages contain no inline script. Our progress has been diminished by pages being patched towards CSP incompatibility again. Thanks! Frederik Further reading: * XSS: https://en.wikipedia.org/wiki/Cross-site_scripting * CSP: https://en.wikipedia.org/wiki/Content_Security_Policy * Vulnerabilities: MFSA 2012-78, MFSA 2013-52, MFSA 2012-95 * This project on the Wiki: https://wiki.mozilla.org/Security/Inline_Scripts_and_Styles * Tracking bug for rewriting HTML/JS: https://bugzilla.mozilla.org/show_bug.cgi?id=923920 * Tracking bug for Gecko changes: https://bugzilla.mozilla.org/show_bug.cgi?id=923902 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
