CSC/ECE 517 Fall 2016/M1654. Improve network security features
M1654: Improve network security features for Servo (cookies and strict referrer policies)
Servo supports standard [HTTP cookies] and parts of the Referral-Policy web standard. The project aims at increasing the security available to Servo browser users by implementing secure standards and complete the missing parts of the existing implementations. The project involves adding "strict" version of existing referrer policies.
Introduction
Rust
Rust is a systems programming language developed and maintained by Mozilla. It is used as a multi-paradigm, compiled programming language for creating highly safe systems. Rust can be used for a variety of jobs including and not restricted to embedding into other languages, creating modular and optimized programs adhering to space-time constraints and can also be used to develop low-level code for writing device drivers.title
Servo
Servo is a modern high-performance browser engine designed for both application and embedded use which is written in Rust. It is created by Mozilla Research and is being built by a global community of individual contributors and companies such as Mozilla and Samsung.
Referrer Policy
Referrer is a HTTP header field which contains the source of the URL that requested the web page. Referrer-policy dictates algorithm used to generate Referrer header when a new web page is requested.
Project Description
The project entails adding improved network security features for Servo engine by supplementing the existing Referrer-policies with 'strict origin' and 'strict origin when cross origin' policies.
A brief description of the list of tasks assigned as part of the project is as follows:
1) Compile Servo and ensure that it runs on tests/html/about-mozilla.html
2) Email the mozilla.dev.servo mailing list (be sure to subscribe first!) introducing your group and asking any necessary questions
3) Implement strict-origin and strict-origin-when-cross-origin referrer policies (see determine_request_referrer and determine_policy_for_token)
4) Add support for the new strict policy values in the Referrer-Policy HTTP header (source)
5) Add tests for the new policy values in tests/unit/net/http_loader.rs (run with ./mach test-unit -p net)
Referrer Policies added in this project
Strict Origin
Strict Origin Referrer Policy dictates that the Referrer in HTTP header is always filled with the stripped URL of the origin and not the complete URL.
Strict origin When Cross Origin
Strict Origin When Cross Origin Referrer Policy dictates that the Referrer in HTTP header is filled with the stripped URL of the origin if the request is sent to a URL different from the origin and the complete URL is sent when making same origin requests.
Implementation
Strict Origin and Strict Origin When Cross origin Referrer policy implementations have been added to the codebase. The pull request for Servo repository is available here and Hyper is available here
Referrer policy implementation
Testing
Various testcase scenerios involving request from HTTP to HTTPS URLs and vice-versa have been added in tests/unit/net/http_loader.rs. Full functionality coverage has been taken case of by ensuring that all same origin and cross origin test cases have been included.