CSC/ECE 517 Fall 2016/M1654. Improve network security features: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
 
(10 intermediate revisions by 2 users not shown)
Line 4: Line 4:
Servo supports standard [HTTP cookies] and parts of the Referral-Policy web standard. The project aims at increasing the security available to Servo browser users by implementing secure standards and complete the missing parts of the existing implementations. The project involves adding "strict" version of existing referrer policies.
Servo supports standard [HTTP cookies] and parts of the Referral-Policy web standard. The project aims at increasing the security available to Servo browser users by implementing secure standards and complete the missing parts of the existing implementations. The project involves adding "strict" version of existing referrer policies.


 
'''Note to Reviewers''' : The pull request has been approved and merged by Mozilla team.


=='''Introduction'''==
=='''Introduction'''==
Line 42: Line 42:
==== Strict origin When Cross Origin ====
==== Strict origin When Cross Origin ====
[https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin Strict Origin When Cross Origin] Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making [https://en.wikipedia.org/wiki/Same-origin_policy same origin] requests.
[https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-strict-origin-when-cross-origin Strict Origin When Cross Origin] Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making [https://en.wikipedia.org/wiki/Same-origin_policy same origin] requests.
== '''Design Pattern''' ==
No design patterns were used in this project.


== '''Implementation''' ==
== '''Implementation''' ==
Strict Origin and Strict Origin When Cross origin Referrer policy implementations have been added to the codebase. The pull request for Servo repository is available [https://github.com/rjain9/servo/pull/1 here] and Hyper is available [https://github.com/hyperium/hyper/pull/943 here]
Strict Origin and Strict Origin When Cross origin Referrer policy implementations have been added to the codebase. The pull request for Servo repository is available [https://github.com/servo/servo/pull/14059 here] and Hyper is available [https://github.com/hyperium/hyper/pull/943 here]


Referrer policy implementation<br>
Referrer policy implementation<br>
Line 52: Line 55:


For complete changes please refer aforementioned url.
For complete changes please refer aforementioned url.
All the newly implemented functions have been provided with URL corresponding to their documentation instead of a direct comment above the function. This is in accordance with the guidelines set by Mozilla for the Servo project. Hence no extra comments are added to the code. All the implementation details can be provided in the links provided above the functions.


== '''Testing''' ==
== '''Testing''' ==
Various testcase scenerios involving request from HTTP to HTTPS URLs and vice-versa have been added in [https://github.com/rjain9/servo/pull/1 tests/unit/net/http_loader.rs]. Full functionality coverage has been taken case of by ensuring that all same origin and cross origin test cases have been included.
Various testcase scenerios involving request from HTTP to HTTPS URLs and vice-versa have been added in [https://github.com/servo/servo/pull/14059 tests/unit/net/http_loader.rs]. Full functionality coverage has been taken case of by ensuring that all same origin and cross origin test cases have been included.
 
No UI is available for testing the changes as the associated features involve cookies which do not have a visual interface. To test the changes follow these commands
 
<code>
./mach build --dev
./mach test-unit -p net
</code>
 
 
== '''Pull Request Details''' ==
Links to [https://github.com/rjain9/servo/pull/1 '''old'''] pull request and [https://github.com/servo/servo/pull/14059 '''new'''] pull request.
 
This '''new''' pull request contains commit implementing initial steps for Improving Network Security project. As part of initial steps referrer policy enums for strict-origin and strict-origin-when-cross-origin have been added to [https://github.com/hyperium/hyper/pull/943 hyper]. Unit tests and additional logic has been added to handle these policies. Since enum changes are available on hyper version 0.9.11. We had to update hyper version to 0.9.11.
 
Hyper 0.9.11 depends on num_cpus 1.1.0. To avoid a different version of num_cpus. We have updated rayon version from 0.4.0 to 0.4.3. Cargo.toml of util, style, geckolib, stylo component has been updated to use num_cpus version 1.1.0 instead of 0.2.2.
 
Mozilla guidelines suggest that multiple concise commits should be wrapped into a single commit. Hence the '''old''' request shows the individual contributions but the '''new''' pull request contains only one major commit (and review comments based commits).
 
== '''Commit Frequency''' ==
Since this is a Mozilla project, all the changes were submitted in a single commit.

Latest revision as of 21:00, 23 March 2017

M1654: Improve network security features for Servo (cookies and strict referrer policies)

Servo supports standard [HTTP cookies] and parts of the Referral-Policy web standard. The project aims at increasing the security available to Servo browser users by implementing secure standards and complete the missing parts of the existing implementations. The project involves adding "strict" version of existing referrer policies.

Note to Reviewers : The pull request has been approved and merged by Mozilla team.

Introduction

Rust

Rust is a systems programming language developed and maintained by Mozilla. It is used as a multi-paradigm, compiled programming language for creating highly safe systems. Rust can be used for a variety of jobs including and not restricted to embedding into other languages, creating modular and optimized programs adhering to space-time constraints and can also be used to develop low-level code for writing device drivers.

Servo

Servo is a modern high-performance browser engine designed for both application and embedded use which is written in Rust. It is created by Mozilla Research and is being built by a global community of individual contributors and companies such as Mozilla and Samsung.

Referrer Policy

Referrer is a HTTP header field which contains the source of the URL that requested the web page. Referrer-policy dictates algorithm used to generate Referrer header when a new web page is requested.


Project Description

The project entails adding improved network security features for Servo engine by supplementing the existing Referrer-policies with 'strict origin' and 'strict origin when cross origin' policies.


A brief description of the list of tasks assigned as part of the project is as follows:

1) Compile Servo and ensure that it runs on tests/html/about-mozilla.html

2) Email the mozilla.dev.servo mailing list (be sure to subscribe first!) introducing your group and asking any necessary questions

3) Implement strict-origin and strict-origin-when-cross-origin referrer policies (see determine_request_referrer and determine_policy_for_token)

4) Add support for the new strict policy values in the Referrer-Policy HTTP header (source)

5) Add tests for the new policy values in tests/unit/net/http_loader.rs (run with ./mach test-unit -p net)


Referrer Policies added in this project

Strict Origin

Strict Origin Referrer Policy dictates that the Referrer in HTTP header is always filled with the stripped URL of the origin and not the complete URL.

Strict origin When Cross Origin

Strict Origin When Cross Origin Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making same origin requests.

Design Pattern

No design patterns were used in this project.

Implementation

Strict Origin and Strict Origin When Cross origin Referrer policy implementations have been added to the codebase. The pull request for Servo repository is available here and Hyper is available here

Referrer policy implementation

Selected Test case changes

For complete changes please refer aforementioned url.

All the newly implemented functions have been provided with URL corresponding to their documentation instead of a direct comment above the function. This is in accordance with the guidelines set by Mozilla for the Servo project. Hence no extra comments are added to the code. All the implementation details can be provided in the links provided above the functions.

Testing

Various testcase scenerios involving request from HTTP to HTTPS URLs and vice-versa have been added in tests/unit/net/http_loader.rs. Full functionality coverage has been taken case of by ensuring that all same origin and cross origin test cases have been included.

No UI is available for testing the changes as the associated features involve cookies which do not have a visual interface. To test the changes follow these commands

./mach build --dev
./mach test-unit -p net


Pull Request Details

Links to old pull request and new pull request.

This new pull request contains commit implementing initial steps for Improving Network Security project. As part of initial steps referrer policy enums for strict-origin and strict-origin-when-cross-origin have been added to hyper. Unit tests and additional logic has been added to handle these policies. Since enum changes are available on hyper version 0.9.11. We had to update hyper version to 0.9.11.

Hyper 0.9.11 depends on num_cpus 1.1.0. To avoid a different version of num_cpus. We have updated rayon version from 0.4.0 to 0.4.3. Cargo.toml of util, style, geckolib, stylo component has been updated to use num_cpus version 1.1.0 instead of 0.2.2.

Mozilla guidelines suggest that multiple concise commits should be wrapped into a single commit. Hence the old request shows the individual contributions but the new pull request contains only one major commit (and review comments based commits).

Commit Frequency

Since this is a Mozilla project, all the changes were submitted in a single commit.