Skip to content

Network security project

Jump to bottom
Josh Matthews edited this page Oct 8, 2016 · 2 revisions

Improve cookie and referrer policy implementations

Background information: Servo supports HTTP cookies and parts of the Referrer-Policy web standard. The goal of this project is to implement newer, more secure standards, and complete missing pieces of existing ones, in order to increase the security available to users of the Servo browser. The work will encompass adding "strict" variations of existing referrer policies, implementing a maximum number of cookies per host, and restricting insecure cookies from overwriting secure ones.

Initial steps:

  • compile Servo and ensure that it runs on tests/html/about-mozilla.html
  • email the mozilla.dev.servo mailing list (be sure to subscribe first!) introducing your group and asking any necessary questions
  • implement strict-origin and strict-origin-when-cross-origin referrer policies (see determine_request_referrer and determine_policy_for_token)
  • support multiple policy values in Referrer-Policy HTTP header per the specification (this task was completed independently)
  • add support for the new strict policy values in the Referrer-Policy HTTP header (source)
  • add tests for the new policy values in tests/unit/net/http_loader.rs (run with ./mach test-unit -p net)

Subsequent steps:

  • redesign CookieStorage to store cookies in a HashMap where the key is the base domain of the cookie's source (ie. "www.google.co.uk" becomes "google.co.uk")
  • store a max_per_host limit in CookieStorage that is checked when adding new cookies; evict the oldest cookie if the limit is reached (add tests to tests/unit/net/cookie.rs)
  • implement the Leave Secure Cookies Alone specification - ensure that newly created insecure cookies cannot override existing secure cookies (add tests to tests/unit/net/cookie.rs)
Clone this wiki locally