TPE SecEng/Content Signing for Remote New Tab
From MozillaWiki
Project GoFaster
This feature (content signing for remote new tabs) is part of the project "Security for GoFaster".
The purpose of GoFaster is to separate release cycles for certain features from the main Firefox/Gecko release schedule.
There are two big efforts in GoFaster:
- System Addons (e.g. Hello)
- Remote new tab page
And content signing is required for remote new tab pages.
References:
- Wiki of GoFaster: https://wiki.mozilla.org/Firefox/Go_Faster
- Github of remote new tab: https://github.com/mozilla/remote-newtab/
- Content-Signature header field for HTTP: https://martinthomson.github.io/content-signature/
Main Engineers
The main engineers for remote new tab and content signing are:
- Remote New Tab : Olivier Yiptong (Firefox Team, Toronto, Canada)
- Content Signing: Franziskus Kiefer (SecEng, Berlin, Germany)
- SRI: Jonathan Hao (SecEng, Taipei, TW)
- CSP: Henry Chang (SecEng, Taipei, TW)
Taipei Dashboard
We are helping on SRI and CSP works of content signing for remote new tabs.
Meta bugs
ID | Summary | Priority | Status |
---|---|---|---|
1235569 | [Meta] Securing remote about:newtab | -- | RESOLVED |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
Ship bugs
ID | Summary | Status | Target milestone | Resolution | Assigned to | Depends on | Blocks | Whiteboard |
---|---|---|---|---|---|---|---|---|
1226928 | Enforce content signature header on remote about:newtab pages | RESOLVED | mozilla48 | FIXED | Franziskus Kiefer [:franziskus] | 1235569 | ||
1235572 | Enforce SRI on remote about:newtab | RESOLVED | mozilla48 | FIXED | Jonathan Hao (inactive) [:jhao] | 1235569 | ||
1251152 | Implement Content Security Policy (CSP) for remote newtab | RESOLVED | mozilla49 | FIXED | Henry Chang [:hchang] | 1235569 | tpe-seceng,[domsecurity-active] | |
1255798 | Block all non-https loads for remote newtab | NEW | --- | 1235569 | [domsecurity-backlog] | |||
1256248 | Check channel to allow newtab testing without content-signatures | RESOLVED | mozilla48 | FIXED | Franziskus Kiefer [:franziskus] | 1235569 | ||
1263793 | Verify remote newtab signatures using the content signature service | RESOLVED | mozilla50 | FIXED | Franziskus Kiefer [:franziskus] | 1252882, 1260527, 1264670, 1264675, 1280224, 1336654 | 1235569 | [domsecurity-active] |
1280905 | Handling downgrade attacks | NEW | --- | 1235569 | [domsecurity-backlog3] |
7 Total; 2 Open (28.57%); 5 Resolved (71.43%); 0 Verified (0%);