CSC/ECE 517 Fall 2016/M1654. Improve network security features: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
m (Added Design pattern)
Line 42: Line 42:
==== Strict origin When Cross Origin ====
==== Strict origin When Cross Origin ====
[https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin Strict Origin When Cross Origin] Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making [https://en.wikipedia.org/wiki/Same-origin_policy same origin] requests.
[https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin Strict Origin When Cross Origin] Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making [https://en.wikipedia.org/wiki/Same-origin_policy same origin] requests.
== '''Design Pattern''' ==
No design patterns were used in this project.


== '''Implementation''' ==
== '''Implementation''' ==

Revision as of 01:29, 4 November 2016

M1654: Improve network security features for Servo (cookies and strict referrer policies)

Servo supports standard [HTTP cookies] and parts of the Referral-Policy web standard. The project aims at increasing the security available to Servo browser users by implementing secure standards and complete the missing parts of the existing implementations. The project involves adding "strict" version of existing referrer policies.


Introduction

Rust

Rust is a systems programming language developed and maintained by Mozilla. It is used as a multi-paradigm, compiled programming language for creating highly safe systems. Rust can be used for a variety of jobs including and not restricted to embedding into other languages, creating modular and optimized programs adhering to space-time constraints and can also be used to develop low-level code for writing device drivers.

Servo

Servo is a modern high-performance browser engine designed for both application and embedded use which is written in Rust. It is created by Mozilla Research and is being built by a global community of individual contributors and companies such as Mozilla and Samsung.

Referrer Policy

Referrer is a HTTP header field which contains the source of the URL that requested the web page. Referrer-policy dictates algorithm used to generate Referrer header when a new web page is requested.


Project Description

The project entails adding improved network security features for Servo engine by supplementing the existing Referrer-policies with 'strict origin' and 'strict origin when cross origin' policies.


A brief description of the list of tasks assigned as part of the project is as follows:

1) Compile Servo and ensure that it runs on tests/html/about-mozilla.html

2) Email the mozilla.dev.servo mailing list (be sure to subscribe first!) introducing your group and asking any necessary questions

3) Implement strict-origin and strict-origin-when-cross-origin referrer policies (see determine_request_referrer and determine_policy_for_token)

4) Add support for the new strict policy values in the Referrer-Policy HTTP header (source)

5) Add tests for the new policy values in tests/unit/net/http_loader.rs (run with ./mach test-unit -p net)


Referrer Policies added in this project

Strict Origin

Strict Origin Referrer Policy dictates that the Referrer in HTTP header is always filled with the stripped URL of the origin and not the complete URL.

Strict origin When Cross Origin

Strict Origin When Cross Origin Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making same origin requests.

Design Pattern

No design patterns were used in this project.

Implementation

Strict Origin and Strict Origin When Cross origin Referrer policy implementations have been added to the codebase. The pull request for Servo repository is available here and Hyper is available here

Referrer policy implementation

Selected Test case changes

For complete changes please refer aforementioned url.

Testing

Various testcase scenerios involving request from HTTP to HTTPS URLs and vice-versa have been added in tests/unit/net/http_loader.rs. Full functionality coverage has been taken case of by ensuring that all same origin and cross origin test cases have been included.