Comment: Comment-1-

PP-Module for Web Browsers

NIAP Logo
Version: 1.0
2025-04-01
National Information Assurance Partnership

Revision History

VersionDateComment
1.02024-10-25Initial release as CC:2022 PP-Module

Contents

1Introduction1.1Overview1.2Terms1.2.1Common Criteria Terms1.2.2Technical Terms1.3Compliant Targets of Evaluation1.3.1TOE Boundary1.4Use Cases2Conformance Claims3Security Problem Definition3.1Threats3.2Assumptions3.3Organizational Security Policies4Security Objectives4.1Security Objectives for the Operational Environment5Security Requirements5.1 Protection Profile for Application Software Security Functional Requirements Direction 5.1.1 Modified SFRs 5.1.1.1Cryptographic Support (FCS)5.1.1.2Trusted Path/Channels (FTP)5.2TOE Security Functional Requirements5.2.1User Data Protection (FDP)5.2.2Security Management (FMT)5.2.3Protection of the TSF (FPT)5.3TOE Security Functional Requirements Rationale6Consistency Rationale6.1 Protection Profile for Application Software6.1.1 Consistency of TOE Type 6.1.2 Consistency of Security Problem Definition 6.1.3 Consistency of OE Objectives 6.1.4 Consistency of Requirements Appendix A - Optional SFRsA.1Strictly Optional Requirements A.1.1User Data Protection (FDP)A.2Objective Requirements A.2.1Cryptographic Support (FCS)A.2.2Protection of the TSF (FPT)A.3Implementation-dependent Requirements Appendix B - Selection-based Requirements B.1Protection of the TSF (FPT)Appendix C - Extended Component DefinitionsC.1Extended Components TableC.2Extended Component DefinitionsC.2.1Cryptographic Support (FCS)C.2.1.1FCS_STS_EXT Strict Transport SecurityC.2.2Protection of the TSF (FPT)C.2.2.1FPT_AON_EXT Add-OnsC.2.2.2FPT_DNL_EXT File DownloadsC.2.2.3FPT_ADD_EXT Add-onsC.2.2.4FPT_INT_EXT Reputation Service InteractionC.2.3Security Management (FMT)C.2.3.1FMT_MOF_EXT Management of Functions BehaviorC.2.4User Data Protection (FDP)C.2.4.1FDP_ACF_EXT Access Control FunctionsC.2.4.2FDP_COO_EXT Cookie BlockingC.2.4.3FDP_SBX_EXT SandboxingC.2.4.4FDP_SOP_EXT Same Origin PolicyC.2.4.5FDP_STR_EXT Secure Transmission of Cookie DataC.2.4.6FDP_TRK_EXT Tracking Information CollectionC.2.4.7FDP_PST_EXT Storage of Persistent InformationAppendix D - Entropy Documentation and AssessmentAppendix E - AcronymsAppendix F - Bibliography

1 Introduction

1.1 Overview

The scope of the PP-Module for Web Browsers, Version 1.0 is to describe the security functionality of web browser applications in terms of [CC] and to define functional and assurance requirements for the product-specific capabilities of web browser applications. Web browsers are client applications that retrieve and render content provided by web servers, primarily using the hypertext transfer protocol (HTTP) or HTTP Secure (HTTPS). This PP-Module is intended for use with the following Base-PP:

This Base-PP is valid because web browsers are a specific type of software application.

1.2 Terms

The following sections list Common Criteria and technology terms used in this document.

1.2.1 Common Criteria Terms

Assurance
Grounds for confidence that a TOE meets the SFRs [CC].
Base Protection Profile (Base-PP)
Protection Profile used as a basis to build a PP-Configuration.
Collaborative Protection Profile (cPP)
A Protection Profile developed by international technical communities and approved by multiple schemes.
Common Criteria (CC)
Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408).
Common Criteria Testing Laboratory
 Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations.
Common Evaluation Methodology (CEM)
Common Evaluation Methodology for Information Technology Security Evaluation.
Extended Package (EP)
A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages.
Functional Package (FP)
A document that collects SFRs for a particular protocol, technology, or functionality.
Operational Environment (OE)
Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy.
Protection Profile (PP)
An implementation-independent set of security requirements for a category of products.
Protection Profile Configuration (PP-Configuration)
A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module.
Protection Profile Module (PP-Module)
An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs.
Security Assurance Requirement (SAR)
A requirement to assure the security of the TOE.
Security Functional Requirement (SFR)
A requirement for security enforcement by the TOE.
Security Target (ST)
A set of implementation-dependent security requirements for a specific product.
Target of Evaluation (TOE)
The product under evaluation.
TOE Security Functionality (TSF)
The security functionality of the product under evaluation.
TOE Summary Specification (TSS)
A description of how a TOE satisfies the SFRs in an ST.

1.2.2 Technical Terms

Add-on
Capabilities or functionality added to an application. This term includes plug-ins, extensions, and other controls.
Administrator
The Administrator is responsible for management activities, including setting the policy that is applied by the enterprise on the browser. This administrator is likely to be acting remotely. If the platform is unmanaged by an enterprise, the user can act as the administrator.
Cross-Site Request Forgery (CSRF)
A vulnerability where an attacker gets a target user to execute a script with that user's privileges.
Cross-Site Scripting (XSS)
Injection of untrusted content into a vulnerable web application to render or execute that content on a victim's system.
Domain
A realm of administrative autonomy, authority or control on the internet (e.g., cnn.com).
Extension
A bundle of code added to the browser to add specific functionality that the browser does not provide by default.
HTML5
A new version of HTML that incorporates many new features that enrich the browsing experience.
HyperText Markup Language (HTML)
A language used by web servers to present content to browsers.
HyperText Transfer Protocol (HTTP)
A protocol for communicating on the web.
HyperText Transfer Protocol Secure (HTTPS)
A secure version of HTTP that runs over an encrypted channel (SSL/TLS).
JavaScript
A scripting language commonly integrated into webpages to generate dynamic, interactive content
Plug-in
A browser add-on to handle specific types of web content.
Pop-up
A piece of web code that causes a browser to open a window outside the window that is currently in focus.
Port
An application-specific construct that functions as a communications endpoint in a computer's host OS; in a web environment, port 80 is the default port for HTTP communications, although other ports can be used. In a web address, the port follows the domain or sub-domain name (e.g., http://www.cnn.com:80).
Protocol
A system of digital rules for data exchange within or between computers; in a web environment, the typical protocols are HTTP and HTTPS.
Sandbox
A security mechanism for separating running processes, most often used to run untrusted or vulnerable processes by reducing their privileges to such an extent that they should not be able to harm the host system.
Sensitive Data
Sensitive data may include all user or enterprise data or may be specific application data such as data transferred to submit a form or complete a transaction. Sensitive data must minimally include personally identifiable information (PII), credentials, and keys. Sensitive data is expected to be identified in the ST.
Sub-domain
An internet domain which is part of a primary domain, denoted by a prefix before the primary domain (e.g., news.cnn.com).
Tabs
A mechanism that allows a browser to display content from multiple websites in the same window.
Web Browser
An application that retrieves and renders content provided by a web server. The terms web browser, browser, and TOE are interchangeable in this document.

1.3 Compliant Targets of Evaluation

The Target of Evaluation (TOE) in this PP-Module is a web browser application running on a desktop or mobile operating system.

Web browsers are client applications that retrieve and render content provided by web servers, primarily using the hypertext transfer protocol (HTTP) or HTTP Secure (HTTPS). Browsers have grown in complexity over the years, starting as tools used to display simple, unchanging websites and becoming sophisticated execution environments for web content. The use of browsers to administer accounts, servers, or embedded systems remotely requires them to handle sensitive information securely. Innovations such as tabs, extensions, and HTML5 have not only increased browser functionality, but also introduced new security concerns. Being the principal method for accessing the internet, and due to their complexity and the information that they process, browsers are a natural target for attackers. As a result, it is paramount that the security of web browsers be improved to reduce the risk to client machines and enterprise networks.

This PP-Module along with the Protection Profile for Application Software [App PP] provide a baseline set of Security Functional Requirements (SFRs) for web browsers running on any operating system regardless of the composition of the underlying platform. The requirements are intended to improve the security of browsers by encouraging the use of operating system security services and requiring the use of sandboxing technologies and environmental mitigations provided by the underlying platform. Additionally, these requirements define security functionality that browsers must provide.

The terms web browser, browser, and TOE are interchangeable in this document.

1.3.1 TOE Boundary

The physical boundary of the web browser is a software application running on a desktop or mobile operating system. The TOE boundary may include third-party add-ons, but these are non-interfering with respect to security; add-ons provide features that are outside the TOE's logical boundary but must be implemented in such a manner that their inclusion does not compromise the security of the TSF.

1.4 Use Cases

Requirements in this PP-Module are designed to address the security problems in the use cases below. These use cases are intentionally very broad, as web browsers can be used to perform many tasks.
[USE CASE 1] Surfing the Web
Browsers are used to retrieve, display, and render content from the web, such as websites, streaming media, images, and specialized formats (e.g., Java, PDF). They can also be used to write content to websites (web 2.0 – e.g., Facebook). Web surfing can be done over the internet or within an intranet.
[USE CASE 2] Remote Administration Client
Browsers are used to provide remote administration interfaces for systems such as servers, network devices, and embedded systems, to include supervisory control and data acquisition (SCADA) systems, smart TVs, and thermostats. As opposed to surfing the web, where the browser may be interacting with untrusted content, the browser, acting as a Remote Administration Client, is connecting to a server that the user trusts.
[USE CASE 3] Content Creation
Browsers are used to create content via an increasing number of Software as a Service (SaaS) offerings, including Microsoft Office 365, Google Drive, and Adobe Creative Cloud, where user data and records are stored online.

2 Conformance Claims

Conformance Statement

An ST must claim exact conformance to this PP-Module.

The evaluation methods used for evaluating the TOE are a combination of the workunits defined in [CEM] as well as the Evaluation Activities for ensuring that individual SFRs and SARs have a sufficient level of supporting evidence in the Security Target and guidance documentation and have been sufficiently tested by the laboratory as part of completing ATE_IND.1. Any functional packages this PP claims similarly contain their own Evaluation Activities that are used in this same manner.
CC Conformance Claims

This PP-Module is conformant to Part 2 (extended) and Part 3 (extended) of Common Criteria CC:2022, Revision 1.
PP Claim

This PP-Module does not claim conformance to any Protection Profile.

The following PPs and PP-Modules are allowed to be specified in a PP-Configuration with this PP-Module:
Package Claim

The functional packages to which the PP conforms may include SFRs that are not mandatory to claim for the sake of conformance. An ST that claims one or more of these functional packages may include any non-mandatory SFRs that are appropriate to claim based on the capabilities of the TSF and on any triggers for their inclusion based inherently on the SFR selections made.

3 Security Problem Definition

The security problem is described in terms of the threats that the web browser is expected to address, assumptions about the operational environment, and any organizational security policies that it is expected to enforce.

This PP-Module does not repeat the threats, assumptions, and organizational security policies identified in the App PP, though they all apply given the conformance and hence dependence of this PP-Module on it. Together, the threats, assumptions and organizational security policies of the App PP and those defined in this PP-Module describe those addressed by a web browser as the Target of Evaluation.

Notably, browsers are particularly at risk from the T.NETWORK_ATTACK threat identified in the App PP. Attackers can use phishing or another social engineering technique to persuade a user to visit a malicious site. Users may also unintentionally visit malicious sites in the course of web browsing. Such sites then present malicious content to the user's browser to exploit it and perform installation of malware, often with no indication to the user.

3.1 Threats

The following threats are specific to web browsers, and represent an addition to those identified in the App PP.
T.FLAWED_ADDON
Web browser functionality can be extended through the integration of third-party utilities and tools. Malicious or vulnerable add-ons could result in attacks against the system. Such attacks can allow unauthorized access to sensitive information in the browser, unauthorized access to the platform's file system, or privilege escalation that enables unauthorized access to other applications or the operating system.
T.NETWORK_ATTACK (from App PP)
This threat from the above Base PP also applies to the functionality defined in this PP-Module.
T.NETWORK_EAVESDROP (from App PP)
This threat from the above Base PP also applies to the functionality defined in this PP-Module.
T.PHYSICAL_ACCESS (from App PP)
This threat from the above Base PP also applies to the functionality defined in this PP-Module.
T.SAME_ORIGIN_VIOLATION
Violating the same-origin policy is a specialized type of network attack (covered generally as T.NETWORK_ATTACK in the App PP), which involves web content violating access control policies enforced by a web browser to separate the content of different web domains. It is specifically identified as a threat to web browsers, since they implement the access control policies that are violated in these attacks.

Attacks which involve same origin violations include:
  • Insufficient protection of session tokens can lead to session hijacking, where a token is captured and reused to gain the privileges of the user who initiated the session.
  • XSS and CSRF attacks are methods used to compromise user credentials (usually by stealing the user's session token) to a website. These attacks are more likely a result of server security problems, but some browsers incorporate technologies that try to detect the attacks.
  • Inadequate sandboxing of browser windows and tabs or a faulty cross domain communications model can lead to leakage of content from one domain in one window or tab to a different domain in a different window or tab. Such attacks leverage the ability of browsers to display content from multiple domains simultaneously.
A malicious actor could implement a malicious website or send a maliciously-crafted URL that an unsuspecting user could open in a vulnerable web browser, which could then be used to harvest sensitive data from a legitimate user or otherwise facilitate impersonation of that user.

3.2 Assumptions

This document does not define any additional assumptions.

3.3 Organizational Security Policies

An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.

This document does not define any additional OSPs.

4 Security Objectives

This PP-Module adds SFRs to objectives identified in the Base-PP and describes additional objectives specific to this PP-Module.

4.1 Security Objectives for the Operational Environment

This PP-Module does not define any objectives for the OE.

No environmental security objectives have been identified that are specific to web browsers. However, any environmental security objectives defined in the Base-PP will also apply to the portion of the TOE that implements web browser functionality.

5 Security Requirements

This chapter describes the security requirements which have to be fulfilled by the product under evaluation. Those requirements comprise functional components from Part 2 and assurance components from Part 3 of [CC]. The following conventions are used for the completion of operations:

5.1 Protection Profile for Application Software Security Functional Requirements Direction

In a PP-Configuration that includes the App PP, the TOE is expected to rely on some of the security functions implemented by the Application as a whole and evaluated against the App PP. The following sections describe any modifications that the ST author must make to the SFRs defined in the App PP in addition to what is mandated by Section 5.2 TOE Security Functional Requirements.

5.1.1 Modified SFRs

The SFRs listed in this section are defined in the App PP and relevant to the secure operation of the TOE.

5.1.1.1 Cryptographic Support (FCS)

FCS_CKM_EXT.1 Cryptographic Key Generation Services

The application shall [selection:
  • generate no asymmetric cryptographic keys
  • invoke platform-provided functionality for asymmetric key generation
  • implement asymmetric key generation
].
Application Note: This SFR is modified from its Base-PP definition to remove the selection for the TOE not requiring asymmetric key generation.

FCS_HTTPS_EXT.1/Client HTTPS Protocol

This SFR is recategorized from selection-based to mandatory when the TOE conforms to this PP-Module, and the modification that this PP-Module makes to FTP_DIT_EXT.1.

FCS_RBG_EXT.1 Random Bit Generation Services

The application shall [selection:
  • use no DRBG functionality
  • invoke platform-provided DRBG functionality
  • implement DRBG functionality
] for its cryptographic operations.
Application Note: This SFR is modified from its Base-PP definition to remove the selection for the TOE using no DRBG functionality.

5.1.1.2 Trusted Path/Channels (FTP)

FTP_DIT_EXT.1 Protection of Data in Transit

The application shall [selection: ] between itself and another trusted IT product.
Application Note: This SFR is modified from its definition in the App PP to require that the TOE or its platform supports HTTPS, TLS, and DTLS, and that its use of these protocols is only limited to sensitive data. A conformant TOE must support the use of HTTPS, TLS, and DTLS for secure web browsing but is permitted to interact with non-sensitive content over an untrusted channel.

Either the TOE or its platform is permitted to implement TLS and DTLS. If the TOE implements these protocols, FCS_DTLSC_EXT.1, FCS_DTLSC_EXT.2, FCS_TLS_EXT.1, FCS_TLSC_EXT.1, and FCS_TLSC_EXT.2 from the TLS package must be claimed at minimum because a web browser is required to support mutually-authenticated TLS and DTLS. Dependent claims from the Functional Package for X.509 must be made to support the X.509 validation functionality that is required for these protocols.

5.2 TOE Security Functional Requirements

The following section describes the SFRs that must be satisfied by any TOE that claims conformance to this PP-Module. These SFRs must be claimed regardless of which PP-Configuration is used to define the TOE.

5.2.1 User Data Protection (FDP)

FDP_ACF_EXT.1 Local and Session Storage Separation

The TSF shall separate local (permanent) and session (ephemeral) storage based on domain, protocol, and port:

  • Session storage shall be accessible only from the originating window or tab;
  • Local storage shall only be accessible from windows or tabs running the same web application.
Application Note: The separation of local and session storage is described in World Wide Web Consortium (W3C) Proposed Recommendation: "Web Storage."

FDP_COO_EXT.1 Cookie Blocking

The TSF shall provide the capability to block the storage of third-party cookies by websites.

FDP_SBX_EXT.1 Sandboxing of Rendering Processes

The TSF shall [selection, choose one of: invoke platform-provided functionality, implement functionality] to ensure that webpage rendering is performed in a process that is restricted in the following manner:
  • The rendering process can only directly access the area of the file system dedicated to the browser.
  • The rendering process can only directly invoke inter-process communication mechanisms with its own browser processes.
  • The rendering process has reduced privilege with respect to other browser processes [selection, choose one of: [assignment: other methods by which the principle of least privilege is implemented for rendering processes], in no other ways].
Application Note: Web browsers implement a variety of methods to ensure that the process that renders HTML and interprets JavaScript operates in a constrained environment in order to reduce the risk that the rendering process can be corrupted by the HTML or JavaScript it is processing. This component requires the browser to lower the privileges of rendering processes by ensuring that it cannot directly access the file system of the host, and that it cannot use inter-process communication (IPC) mechanisms provided by the host to communicate with non-browser processes on the host. Typically, if a rendering process needs to access a file or communicate with a non-browser process, it must request such access through the TSF (which is allowed by the requirement).

In addition to the two required measures, other measures can be implemented depending on the browser and the host platform. These may involve such actions as changing the owner of the rendering process to a low-privileged account or dropping platform-defined privileges in the rendering process. The ST author fills in the additional measures implemented by the browser.

FDP_SOP_EXT.1 Same Origin Policy

The TSF shall only permit scripts contained in one webpage to access data in a second webpage if both pages are from the same origin.
The TSF shall enforce the same origin policy for all domains.
Application Note: The Same Origin Policy concept is described in RFC 6454, "The Web Origin Concept."

Origin is defined as the combination of domain, protocol, and port. Two URIs sharing the same domain, protocol, and port are considered to have the same origin.

FDP_STR_EXT.1 Secure Transmission of Cookie Data

The TSF shall ensure that cookies containing the 'secure' attribute in the set-cookie header are sent over HTTPS.
Application Note: The set-cookie header functionality is described in RFC 6265, "HTTP State Management Mechanism."

FDP_TRK_EXT.1 Tracking Information Collection

The TSF shall provide notification to the user when tracking information for [selection:
  • geolocation
  • browser history
  • browser preferences
  • browser statistics
] is requested by a website.

5.2.2 Security Management (FMT)

FMT_MOF_EXT.1 Management of Functions Behavior

The TSF shall be capable of performing the following management functions, controlled by the administrator or user as shown:
  • M = Mandatory
  • O = Optional
#Management FunctionAdministratorUser
1Enable and disable storage of third-party cookies
OOptional/Conditional
MMandatory
2Enable and disable use of OCSP for obtaining the revocation status of X.509 certificates
OOptional/Conditional
OOptional/Conditional
3Configure inclusion of user-agent information in HTTP headers
OOptional/Conditional
OOptional/Conditional
4Enable and disable ability for websites to collect tracking information about the user through [selection: zombie cookies, add-on based tracking (e.g., Flash cookies), browsing history, [assignment: other tracking mechanisms]]
OOptional/Conditional
OOptional/Conditional
5Enable and disable deletion of stored browsing data (cache, web form information)
OOptional/Conditional
MMandatory
6Enable and disable storage of sensitive information (e.g., auto-fill, auto-complete) in persistent storage
OOptional/Conditional
OOptional/Conditional
7Configure cookie cache size
OOptional/Conditional
OOptional/Conditional
8Configure cache size
OOptional/Conditional
OOptional/Conditional
9Enable and disable interaction with Graphic Processing Units (GPUs)
OOptional/Conditional
OOptional/Conditional
10Configure the ability to advance to a website with an invalid or unvalidated X.509 certificate
OOptional/Conditional
OOptional/Conditional
11Enable and disable establishment of a trusted channel if the browser cannot establish a connection to determine the validity of a certificate
OOptional/Conditional
OOptional/Conditional
12Configure the use of an application reputation service to detect malicious applications prior to download
OOptional/Conditional
OOptional/Conditional
13Configure the use of a URL reputation service to detect sites that contain malware or phishing content
OOptional/Conditional
OOptional/Conditional
14Enable and disable automatic installation of software updates and patches
OOptional/Conditional
OOptional/Conditional
15Enable and disable ability for websites to register protocol handlers
OOptional/Conditional
OOptional/Conditional
16Enable and disable display notification when unsigned, untrusted, or unverified add-on is encountered
OOptional/Conditional
OOptional/Conditional
17Enable and disable user's ability to select default actions upon download of a file (e.g., always open or always save a downloaded file)
OOptional/Conditional
OOptional/Conditional
18Enable and disable launching of downloaded files outside the browser
OOptional/Conditional
OOptional/Conditional
19Enable and disable JavaScript
OOptional/Conditional
OOptional/Conditional
20Enable and disable [assignment: add-on types supported by the browser] web-based code executed in add-ons
OOptional/Conditional
OOptional/Conditional
21Enable and disable support for add-ons
OOptional/Conditional
OOptional/Conditional
22Enable and disable individual add-ons
OOptional/Conditional
OOptional/Conditional
23Enable and disable HSTS mode
OOptional/Conditional
OOptional/Conditional
Application Note: For these management functions, the term "Administrator" refers to the administrator of a non-mobile device or the device owner of a mobile device. The intent of this requirement is to allow the user and administrator of the platform to configure the browser with configuration policies. If the administrator has not set a policy for a particular function, the user may still perform that function. Enforcement of the policy is done by the browser itself or the browser and its platform in coordination with each other.

Disabling OCSP is only permitted if "CRL" was selected in FIA_X509_EXT.1.1 (in X.509 Functional Package).

5.2.3 Protection of the TSF (FPT)

FPT_AON_EXT.1 Support for Only Trusted Add-ons

The TSF shall include the capability to load [selection, choose one of: trusted add-ons, no add-ons].
Application Note: If trusted add-ons is selected in FPT_AON_EXT.1.1, the TOE must also claim the selection-based SFR FPT_AON_EXT.2.

If the browser does not include support for installing only trusted add-ons, this requirement can be met by demonstrating the ability to disable all support for add-ons as specified in FMT_MOF_EXT.1.

FPT_DNL_EXT.1 File Downloads

The TSF shall prevent downloaded content from launching automatically.
The TSF shall present the user with the option to either save or discard downloaded files.
Application Note: This requirement ensures that if the user intentionally (via clicking on a link) or unintentionally initiates the download of a file, the browser will intervene by, for example, opening a dialog box that presents the user with the option either to save the file to the file system or not download the file.

In this context, an executable is a file containing code for a software program that is invoked independent of and outside the context of the browser. It does not include scripts or add-ons.

FPT_ADD_EXT.1 Add-ons

The TSF shall support the capability to execute [selection, choose one of: signed [assignment: add-ons (i.e. plug-ins and extensions) supported by the browser], no] web-based code executed in add-ons.
The TSF shall [selection, choose one of: automatically discard, provide the user with the option to discard] unsigned, untrusted, or unverified [assignment: add-ons (i.e. plug-ins and extensions) supported by the browser] web-based code executed in add-ons without executing the code.
Application Note: The ST author must specify all add-on types for which the browser provides this support.

An authorized signer may directly sign the code itself, or the code may be delivered over an authenticated HTTPS connection with an authorized entity.

5.3 TOE Security Functional Requirements Rationale

The following rationale provides justification for each SFR for the TOE, showing that the SFRs are suitable to address the specified threats:

Table 1: SFR Rationale
ThreatAddressed byRationale
T.FLAWED_​ADDONFPT_AON_EXT.1FPT_AON_EXT.1 mitigates the threat by specifying whether the TSF has the ability to load add-ons.
FPT_AON_EXT.2 (selection-based)FPT_AON_EXT.2 mitigates the threat by defining a cryptographic method for the TSF to validate the integrity of add-ons if the TOE supports their use.
T.NETWORK_​ATTACK (from App PP) FCS_CKM_EXT.1 (modified from Base-PP)FCS_CKM_EXT.1 mitigates the threat by requiring that the TSF provide or invoke a cryptographic function for asymmetric key generation.
FCS_HTTPS_EXT.1/Client (from Base-PP)FCS_HTTPS_EXT.1/Client mitigates the threat by defining the TSF's implementation of HTTPS.
FCS_RBG_EXT.1 (modified from Base-PP)FCS_RBG_EXT.1 mitigates the threat by requiring that the TSF provide or invoke a DRBG for secure key generation.
FTP_DIT_EXT.1 (modified from Base-PP)FTP_DIT_EXT.1 mitigates the threat by specifying the trusted communications channels used by the TOE to protect data in transit.
FDP_STR_EXT.1FDP_STR_EXT.1 mitigates the threat by requiring the use of HTTPS for certain types of data transfer.
FDP_TRK_EXT.1FDP_TRK_EXT.1 mitigates the threat by notifying the user when various data is being tracked to allow for control of the disclosure of configuration information.
FMT_MOF_EXT.1FMT_MOF_EXT.1 mitigates the threat by defining the management functionality that is specific to web browser applications.
FPT_DNL_EXT.1FPT_DNL_EXT.1 mitigates the threat by preventing the automatic execution of downloaded files which could otherwise cause integrity violations to the TOE itself or to its platform.
FPT_ADD_EXT.1FPT_ADD_EXT.1 mitigates the threat by preventing the automatic execution of add-ons which could otherwise cause integrity violations to the TOE itself or to its platform.
FCS_STS_EXT.1 (objective)FCS_STS_EXT.1 mitigates the threat by optionally requiring the TSF to implement HSTS for secure data transmission.
FPT_INT_EXT.1 (objective)FPT_INT_EXT.1 mitigates the threat by optionally requiring the TSF to implement a reputation service to prevent the acquisition of potentially malicious applications.
FPT_INT_EXT.2 (objective)FPT_INT_EXT.2 mitigates the threat by optionally requiring the TSF to implement a URL reputation service that can block communications with malicious entities.
T.NETWORK_​EAVESDROP (from App PP) FCS_CKM_EXT.1 (modified from Base-PP)FCS_CKM_EXT.1 mitigates the threat by requiring that the TSF provide or invoke a cryptographic function for asymmetric key generation.
FCS_HTTPS_EXT.1/Client (from Base-PP)FCS_HTTPS_EXT.1/Client mitigates the threat by defining the TSF's implementation of HTTPS.
FCS_RBG_EXT.1 (modified from Base-PP)FCS_RBG_EXT.1 mitigates the threat by requiring that the TSF provide or invoke a DRBG for secure key generation.
FTP_DIT_EXT.1 (modified from Base-PP)FTP_DIT_EXT.1 mitigates the threat by specifying the trusted communications channels used by the TOE to protect data in transit.
FDP_STR_EXT.1FDP_STR_EXT.1 mitigates the threat by requiring the use of HTTPS for certain types of data transfer.
FDP_TRK_EXT.1FDP_TRK_EXT.1 mitigates the threat by notifying the user when various data is being tracked to allow for control of the disclosure of configuration information.
FMT_MOF_EXT.1FMT_MOF_EXT.1 mitigates the threat by defining the management functionality that is specific to web browser applications.
FCS_STS_EXT.1 (objective)FCS_STS_EXT.1 mitigates the threat by optionally requiring the TSF to implement HSTS for secure data transmission.
FPT_INT_EXT.2 (objective)FPT_INT_EXT.2 mitigates the threat by optionally requiring the TSF to implement a URL reputation service that can block communications with malicious entities.
T.PHYSICAL_​ACCESS (from App PP) FDP_COO_EXT.1FDP_COO_EXT.1 mitigates the threat by defining a mechanism to prevent untrusted data from being loaded into protected storage.
FDP_PST_EXT.1 (optional)FDP_PST_EXT.1 mitigates the threat by optionally defining the minimum set of persistent data that the TSF is required to store.
FPT_INT_EXT.1 (objective)FPT_INT_EXT.1 mitigates the threat by optionally requiring the TSF to implement a mechanism to protect against downloading known malicious applications that may adversely affect data stored at rest.
T.SAME_​ORIGIN_​VIOLATIONFDP_ACF_EXT.1FDP_ACF_EXT.1 mitigates the threat by isolating local and session storage to its origin point.
FDP_SBX_EXT.1FDP_SBX_EXT.1 mitigates the threat by ensuring that rendering of content is isolated to its origin point.
FDP_SOP_EXT.1FDP_SOP_EXT.1 mitigates the threat by enforcing the concept of a same origin policy to prevent web content with different origins from interacting with one another.

6 Consistency Rationale

6.1 Protection Profile for Application Software

6.1.1 Consistency of TOE Type

If this PP-Module is used to extend the App PP, the TOE type for the overall TOE is still a software application. The TOE boundary is simply extended to include the web browser functionality that is built into the application so that additional security functionality is claimed within the scope of the TOE.

The only asset for the TOE is the software executable and sensitive data that comprises the TOE. The entire TOE as defined by the combination of the Base-PP and this PP-Module is a single asset. The only differences to the threat model are that the PP-Module introduces the concept of add-ons, which introduces the threat of an add-on being flawed in some way, and that the PP-Module introduces the concept of a same-origin violation, which occurs through a use case specific to web browser applications.

6.1.2 Consistency of Security Problem Definition

Listed below are the threats, objectives, and OSPs defined in this PP-Module with rationale for their consistency with the App PP. The PP-Module shares the executable application asset with the App PP but defines additional threats because the PP-Module defines a specific type of software application with potential exploits that are common to the application type.

Note that the PP-Module is implicitly consistent with any claimed functional packages because the applicable functional packages do not have security problem definitions of their own; per section 2, any claimed functional package is intended to support the O.PROTECTED_COMMS objective in the App PP, which helps mitigate the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats in that PP.
Table 2: Consistency of Security Problem Definition (App PP base)
PP-Module Threat, Assumption, OSPConsistency Rationale
T.FLAWED_ADDONThe threat of a user installing a flawed add-on is consistent with the T.LOCAL_ATTACK threat from the Base-PP. A flawed add-on, whether crafted deliberately or unintentionally, could cause the product to operate in a manner where it or its platform can be compromised.
T.SAME_ORIGIN_VIOLATIONThis threat extends the security problem definition of the Base-PP by defining a potential vulnerability that specifically applies to the content that is handled by web browsers.

6.1.3 Consistency of OE Objectives

This PP-Module does not define any objectives for the TOE's operational environment.

6.1.4 Consistency of Requirements

This PP-Module identifies several SFRs from the App PP that are needed to support web browser functionality. This is considered to be consistent because the functionality provided by the App PP is being used for its intended purpose. The PP-Module also identifies a number of modified SFRs from the App PP that are used entirely to provide functionality for web browsers. The rationale for why this does not conflict with the claims defined by the App PP are as follows:
Table 3: Consistency of Requirements (App PP base)
PP-Module RequirementConsistency Rationale
Modified SFRs
FCS_CKM_EXT.1 This SFR is changed from its definition in the App PP to remove one of the available selection options because it will never apply in the case where the TOE conforms to this PP-Module.
FCS_HTTPS_EXT.1/Client This SFR is unchanged from its definition in the App PP; the SFR is recategorized from selection-based to mandatory when the TOE conforms to this PP-Module.
FCS_RBG_EXT.1This SFR is changed from its definition in the App PP to remove one of the available selection options because it will never apply in the case where the TOE conforms to this PP-Module.
FTP_DIT_EXT.1This SFR is changed from its definition in the App PP to mandate the protection of sensitive data using only specified protocols.
Additional SFRs
This PP-Module does not add any requirements when the App PP is the base.
Mandatory SFRs
FDP_ACF_EXT.1This SFR defines domain separation of web content when a web browser is simultaneously accessing content from multiple sources. It does not impact the App PP functionality.
FDP_COO_EXT.1This SFR defines behavior for handling cookies, which are data specific to web browser applications. It does not impact the App PP functionality.
FDP_SBX_EXT.1This SFR defines behavior for rendering of webpages, which is by definition functionality that is associated with web browser applications. It does not impact the App PP functionality.
FDP_SOP_EXT.1This SFR defines behavior for script execution on webpages, which is by definition functionality that is associated with web browser applications. It does not impact the App PP functionality.
FDP_STR_EXT.1This SFR defines behavior for handling cookies, which are data specific to web browser applications. It does not impact the App PP functionality.
FDP_TRK_EXT.1This SFR defines behavior for handling tracking information that is specific to web browser applications. It does not impact the App PP functionality.
FMT_MOF_EXT.1This SFR defines a specific set of management functions for a web browser. It does not impact the App PP functionality.
FPT_AON_EXT.1This SFR defines what types of add-ons a web browser may use. It does not impact the App PP functionality.
FPT_DNL_EXT.1This SFR defines behavior for handling file data that can be downloaded by a web browser. It does not impact the App PP functionality.
FPT_ADD_EXT.1This SFR defines behavior for add-ons that are rendered by a web browser. It does not impact the App PP functionality.
Optional SFRs
FDP_PST_EXT.1This SFR defines the persistent information that must be stored for web browser functionality to work as intended. It does not impact functionality described by the App PP.
Objective SFRs
FCS_STS_EXT.1This SFR defines behavior for implementation of HSTS, which is a communications mechanism specific to web content. It does not impact the App PP functionality.
FPT_INT_EXT.1This SFR defines behavior interaction with a reputation service for file data that the TOE can be used to download. It does not impact the App PP functionality.
FPT_INT_EXT.2This SFR defines behavior interaction with a reputation service for web content that the TOE can be used to interact with. It does not impact the App PP functionality.
Implementation-dependent SFRs
This PP-Module does not define any Implementation-dependent requirements.
Selection-based SFRs
FPT_AON_EXT.2This SFR defines how web browsers verify add-ons. It does not impact functionality described by the App PP.

Appendix A - Optional SFRs

A.1 Strictly Optional Requirements

A.1.1 User Data Protection (FDP)

FDP_PST_EXT.1 Storage of Persistent Information

The TSF shall provide the capability to operate without storing persistent data to the file system with the following exceptions: [selection: credential information, administrator-provided configuration information, certificate revocation information, no exceptions].
Application Note: Any data that persists after the browser closes, including temporary files, is considered to be persistent data.

A.2 Objective Requirements

A.2.1 Cryptographic Support (FCS)

FCS_STS_EXT.1 Strict Transport Security

The TSF shall implement HTTP Strict-Transport-Security according to RFC 6797.
The TSF shall retain persistent data signaling HSTS enablement for the time span declared by the website in a max-age directive.
The TSF shall cache the "freshest" Strict Security policy information.
Application Note: Freshness refers to the length of time between generation by the origin server and the expiration time when the origin server specifies that a stored response can no longer be used by a cache without further validation (RFCs 6797 and 7234).

A.2.2 Protection of the TSF (FPT)

FPT_INT_EXT.1 Interactions with Application Reputation Services

The TSF shall use an application reputation service to prevent downloading of malicious applications.
Application Note: An application reputation service is an online service that identifies malicious applications; it is used to detect such applications prior to downloading them. Using a reputation service would require configuration of the trusted service to be used. The quality of the reputation service may fall outside the scope of the evaluation.

FPT_INT_EXT.2 Interactions with URL Reputation Services

The TSF shall use a URL reputation service to prevent connections with malicious websites.
Application Note: A URL reputation service is an online service that identifies websites with malicious or phishing content applications; it is used to detect such websites prior to allowing users to access them. The goal of this requirement is to ensure that the browser is prevented from establishing connections with known-bad sources of malware on the internet. The specifics of the sequence of actions taken before a block decision is made may depend upon the specific implementation of the browser. For example, some browsers might implement the check for malicious content by checking against the list of bad URLs provided by the URL reputation service in real time. Other browsers may download updated lists of bad URLs at browser startup, updating the list periodically from the URL reputation service or services until the browser is terminated. Ultimately, the result should be that the browser blocks the connection to the bad URL.

A.3 Implementation-dependent Requirements

This PP-Module does not define any Implementation-dependent SFRs.

Appendix B - Selection-based Requirements

B.1 Protection of the TSF (FPT)

FPT_AON_EXT.2 Trusted Installation and Update for Add-ons

The inclusion of this selection-based component depends upon selection in FPT_AON_EXT.1.1.
The TSF shall [selection: provide the ability, leverage the platform] to provide a means to cryptographically verify add-ons using a digital signature mechanism and [selection, choose one of: published hash, no other functions] prior to installation and update.
The TSF shall [selection: provide the ability, leverage the platform] to query the current version of the add-on.
The TSF shall prevent the automatic installation of add-ons.
Application Note: This selection-based SFR is claimed when trusted add-ons is selected in FPT_AON_EXT.1.1.

Appendix C - Extended Component Definitions

This appendix contains the definitions for all extended requirements specified in the PP-Module.

C.1 Extended Components Table

All extended components specified in the PP-Module are listed in this table:
Table 4: Extended Component Definitions
Functional ClassFunctional Components
Cryptographic Support (FCS)FCS_STS_EXT Strict Transport Security
Protection of the TSF (FPT)FPT_ADD_EXT Add-ons
FPT_AON_EXT Add-Ons
FPT_DNL_EXT File Downloads
FPT_INT_EXT Reputation Service Interaction
Security Management (FMT)FMT_MOF_EXT Management of Functions Behavior
User Data Protection (FDP)FDP_ACF_EXT Access Control Functions
FDP_COO_EXT Cookie Blocking
FDP_PST_EXT Storage of Persistent Information
FDP_SBX_EXT Sandboxing
FDP_SOP_EXT Same Origin Policy
FDP_STR_EXT Secure Transmission of Cookie Data
FDP_TRK_EXT Tracking Information Collection

C.2 Extended Component Definitions

C.2.1 Cryptographic Support (FCS)

This PP-Module defines the following extended components as part of the FCS class originally defined by CC Part 2:

C.2.1.1 FCS_STS_EXT Strict Transport Security

Family Behavior

Components in this family define requirements for the implementation of HTTP Strict-Transport-Security.

Component Leveling

FCS_STS_EXT1

FCS_STS_EXT.1, Strict Transport Security, requires the TSF to implement HTTP Strict-Transport-Security.

Management: FCS_STS_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable HSTS mode.

Audit: FCS_STS_EXT.1

There are no auditable events foreseen.

FCS_STS_EXT.1 Strict Transport Security

Hierarchical to:No other components.
Dependencies to: FCS_HTTPS_EXT.1 HTTPS Protocol

FCS_STS_EXT.1.1

The TSF shall implement HTTP Strict-Transport-Security according to RFC 6797.

FCS_STS_EXT.1.2

The TSF shall retain persistent data signaling HSTS enablement for the time span declared by the website in a max-age directive.

FCS_STS_EXT.1.3

The TSF shall cache the "freshest" Strict Security policy information.

C.2.2 Protection of the TSF (FPT)

This PP-Module defines the following extended components as part of the FPT class originally defined by CC Part 2:

C.2.2.1 FPT_AON_EXT Add-Ons

Family Behavior

Components in this family define requirements for the secure handling of add-ons that can be installed on top of the TOE.

Component Leveling

FPT_AON_EXT12

FPT_AON_EXT.1, Support for Only Trusted Add-ons, requires the TSF to either support no add-ons or to only support trusted add-ons.

FPT_AON_EXT.2, Trusted Installation and Update for Add-ons, requires the TSF to implement a method to verify the integrity of add-ons and ensure that untrusted or unknown add-ons are not loaded for use.

Management: FPT_AON_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable support for add-ons.

Audit: FPT_AON_EXT.1

There are no auditable events foreseen.

FPT_AON_EXT.1 Support for Only Trusted Add-ons

Hierarchical to:No other components.
Dependencies to: No dependencies.

FPT_AON_EXT.1.1

The TSF shall include the capability to load [selection, choose one of: trusted add-ons, no add-ons].

Management: FPT_AON_EXT.2

No specific management functions are identified.

Audit: FPT_AON_EXT.2

There are no auditable events foreseen.

FPT_AON_EXT.2 Trusted Installation and Update for Add-ons

Hierarchical to:No other components.
Dependencies to: FCS_COP.1 Cryptographic Operation

FPT_AON_EXT.1 Support for Only Trusted Add-Ons

FPT_AON_EXT.2.1

The TSF shall [selection: provide the ability, leverage the platform] to provide a means to cryptographically verify add-ons using a digital signature mechanism and [selection, choose one of: published hash, no other functions] prior to installation and update.

FPT_AON_EXT.2.2

The TSF shall [selection: provide the ability, leverage the platform] to query the current version of the add-on.

FPT_AON_EXT.2.3

The TSF shall prevent the automatic installation of add-ons.

C.2.2.2 FPT_DNL_EXT File Downloads

Family Behavior

Components in this family define requirements for downloaded content.

Component Leveling

FPT_DNL_EXT1

FPT_DNL_EXT.1, File Downloads, requires the TSF to intervene in the case it is prompted to download executable file data.

Management: FPT_DNL_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable user's ability to select default actions upon download of a file (e.g., always open or always save a downloaded file).
  • Enable and disable launching of downloaded files outside the browser.

Audit: FPT_DNL_EXT.1

There are no auditable events foreseen.

FPT_DNL_EXT.1 File Downloads

Hierarchical to:No other components.
Dependencies to: No dependencies.

FPT_DNL_EXT.1.1

The TSF shall prevent downloaded content from launching automatically.

FPT_DNL_EXT.1.2

The TSF shall present the user with the option to either save or discard downloaded files.

C.2.2.3 FPT_ADD_EXT Add-ons

Family Behavior

Components in this family define requirements for execution of add-ons.

Component Leveling

FPT_ADD_EXT1

FPT_ADD_EXT.1, Add-ons, requires the TSF to identify the add-on types it supports and to ensure that a mechanism exists to prevent the automatic execution of potentially malicious add-ons.

Management: FPT_ADD_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable display notification when unsigned, untrusted, or unverified add-ons are encountered.
  • Enable and disable support for add-ons.

Audit: FPT_ADD_EXT.1

There are no auditable events foreseen.

FPT_ADD_EXT.1 Add-ons

Hierarchical to:No other components.
Dependencies to: No dependencies.

FPT_ADD_EXT.1.1

The TSF shall support the capability to execute [selection, choose one of: signed [assignment: add-ons (i.e. plug-ins and extensions) supported by the browser] , no] add-ons.

FPT_ADD_EXT.1.2

The TSF shall [selection, choose one of: automatically discard, provide the user with the option to discard] unsigned, untrusted, or unverified [assignment: supported add-ons (i.e., plug-ins and extensions)] web-based code executed in add-ons without executing it.

C.2.2.4 FPT_INT_EXT Reputation Service Interaction

Family Behavior

Components in this family define requirements for the TOE's interaction with reputation services that can provide an assessment of the trustworthiness of data presented to the TSF.

Component Leveling

FPT_INT_EXT12

FPT_INT_EXT.1, Interactions with Application Reputation Services, requires the TSF to be able to interact with an application reputation service to assess whether application data is potentially malicious.

FPT_INT_EXT.2, Interactions with URL Reputation Services, requires the TSF to be able to interact with a URL reputation service to assess whether websites are potentially malicious.

Management: FPT_INT_EXT.1

The following actions could be considered for the management functions in FMT:

  • Configure the use of an application reputation service to detect malicious applications prior to download.

Audit: FPT_INT_EXT.1

There are no auditable events foreseen.

FPT_INT_EXT.1 Interactions with Application Reputation Services

Hierarchical to:No other components.
Dependencies to: No dependencies.

FPT_INT_EXT.1.1

The TSF shall use an application reputation service to prevent downloading of malicious applications.

Management: FPT_INT_EXT.2

The following actions could be considered for the management functions in FMT:

  • Configure the use of a URL reputation service to detect sites that contain malware or phishing content.

Audit: FPT_INT_EXT.2

There are no auditable events foreseen.

FPT_INT_EXT.2 Interactions with URL Reputation Services

Hierarchical to:No other components.
Dependencies to: No dependencies.

FPT_INT_EXT.2.1

The TSF shall use a URL reputation service to prevent connections with malicious websites.

C.2.3 Security Management (FMT)

This PP-Module defines the following extended components as part of the FMT class originally defined by CC Part 2:

C.2.3.1 FMT_MOF_EXT Management of Functions Behavior

Family Behavior

Components in this family define requirements for technology-specific management functions that are not enumerated in the Part 2 family FMT_MOF.

Component Leveling

FMT_MOF_EXT1

FMT_MOF_EXT.1, Management of Functions Behavior, requires the TSF to implement management functions specified in the SFR.

Management: FMT_MOF_EXT.1

No specific management functions are identified.

Audit: FMT_MOF_EXT.1

There are no auditable events foreseen.

FMT_MOF_EXT.1 Management of Functions Behavior

Hierarchical to:No other components.
Dependencies to: No dependencies.

FMT_MOF_EXT.1.1

The TSF shall be capable of performing the following management functions, controlled by the administrator or user as shown: [assignment: list of management functions to be performed by role].

C.2.4 User Data Protection (FDP)

This PP-Module defines the following extended components as part of the FDP class originally defined by CC Part 2:

C.2.4.1 FDP_ACF_EXT Access Control Functions

Family Behavior

Components in this family define requirements for data access control beyond those which are specified in the Part 2 family FDP_ACF.

Component Leveling

FDP_ACF_EXT1

FDP_ACF_EXT.1, Local and Session Storage Separation, requires the TSF to enforce data protection mechanisms such that user data is only accessible from its originator.

Management: FDP_ACF_EXT.1

No specific management functions are identified.

Audit: FDP_ACF_EXT.1

There are no auditable events foreseen.

FDP_ACF_EXT.1 Local and Session Storage Separation

Hierarchical to:No other components.
Dependencies to: No dependencies.

FDP_ACF_EXT.1.1

The TSF shall separate local (permanent) and session (ephemeral) storage based on domain, protocol, and port:

  • Session storage shall be accessible only from the originating window or tab;
  • Local storage shall only be accessible from windows or tabs running the same web application.

C.2.4.2 FDP_COO_EXT Cookie Blocking

Family Behavior

Components in this family define requirements for controlling whether the TOE stores third-party cookie data.

Component Leveling

FDP_COO_EXT1

FDP_COO_EXT.1, Cookie Blocking, requires the TSF to have a configurable mechanism for blocking the storage of third-party cookies.

Management: FDP_COO_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable storage of third-party cookies.

Audit: FDP_COO_EXT.1

There are no auditable events foreseen.

FDP_COO_EXT.1 Cookie Blocking

Hierarchical to:No other components.
Dependencies to: No dependencies.

FDP_COO_EXT.1.1

The TSF shall provide the capability to block the storage of third-party cookies by websites.

C.2.4.3 FDP_SBX_EXT Sandboxing

Family Behavior

Components in this family define requirements for ensuring domain separation through sandboxing.

Component Leveling

FDP_SBX_EXT1

FDP_SBX_EXT.1, Sandboxing of Rendering Processes, requires the TSF to implement sandboxing of rendering processes such that least privilege is enforced on the rendering process.

Management: FDP_SBX_EXT.1

No specific management functions are identified.

Audit: FDP_SBX_EXT.1

There are no auditable events foreseen.

FDP_SBX_EXT.1 Sandboxing of Rendering Processes

Hierarchical to:No other components.
Dependencies to: No dependencies.

FDP_SBX_EXT.1.1

The TSF shall [selection, choose one of: invoke platform-provided functionality, implement functionality] to ensure that webpage rendering is performed in a process that is restricted in the following manner:
  • The rendering process can only directly access the area of the file system dedicated to the browser.
  • The rendering process can only directly invoke inter-process communication mechanisms with its own browser processes.
  • The rendering process has reduced privilege with respect to other browser processes [selection, choose one of: [assignment: other methods by which the principle of least privilege is implemented for rendering processes], in no other ways].

C.2.4.4 FDP_SOP_EXT Same Origin Policy

Family Behavior

Components in this family define requirements for implementation of the Same Origin Policy concept.

Component Leveling

FDP_SOP_EXT1

FDP_SOP_EXT.1, Same Origin Policy, requires the TSF to implement the Same Origin Policy concept for web content.

Management: FDP_SOP_EXT.1

No specific management functions are identified.

Audit: FDP_SOP_EXT.1

There are no auditable events foreseen.

FDP_SOP_EXT.1 Same Origin Policy

Hierarchical to:No other components.
Dependencies to: No dependencies.

FDP_SOP_EXT.1.1

The TSF shall only permit scripts contained in one webpage to access data in a second webpage if both pages are from the same origin.

FDP_SOP_EXT.1.2

The TSF shall enforce the same origin policy for all domains.

C.2.4.5 FDP_STR_EXT Secure Transmission of Cookie Data

Family Behavior

Components in this family define requirements for using HTTPS to transmit sensitive cookie data.

Component Leveling

FDP_STR_EXT1

FDP_STR_EXT.1, Secure Transmission of Cookie Data, requires the TSF to use HTTPS to transmit cookie data that has a security-relevant attribute.

Management: FDP_STR_EXT.1

No specific management functions are identified.

Audit: FDP_STR_EXT.1

There are no auditable events foreseen.

FDP_STR_EXT.1 Secure Transmission of Cookie Data

Hierarchical to:No other components.
Dependencies to: FCS_HTTPS_EXT.1 HTTPS Protocol

FDP_STR_EXT.1.1

The TSF shall ensure that cookies containing the 'secure' attribute in the set-cookie header are sent over HTTPS.

C.2.4.6 FDP_TRK_EXT Tracking Information Collection

Family Behavior

Components in this family define requirements for notifying a user when certain data that reflects the usage of the TOE is being tracked.

Component Leveling

FDP_TRK_EXT1

FDP_TRK_EXT.1, Tracking Information Collection, requires the TSF to specify the data tracking that results in user notification.

Management: FDP_TRK_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable ability for websites to collect tracking information about the user.
  • Enable and disable deletion of stored browsing data.

Audit: FDP_TRK_EXT.1

There are no auditable events foreseen.

FDP_TRK_EXT.1 Tracking Information Collection

Hierarchical to:No other components.
Dependencies to: No dependencies.

FDP_TRK_EXT.1.1

The TSF shall provide notification to the user when tracking information for [assignment: list of trackable browser data] is requested by a website.

C.2.4.7 FDP_PST_EXT Storage of Persistent Information

Family Behavior

Components in this family define requirements for the minimum amount of information that may be stored persistently by the TSF while retaining its functionality.

Component Leveling

FDP_PST_EXT1

FDP_PST_EXT.1, Storage of Persistent Information, requires the TSF to enumerate the minimum set of data that it must store persistently in order to function normally.

Management: FDP_PST_EXT.1

The following actions could be considered for the management functions in FMT:

  • Enable and disable persistent storage of sensitive information.

Audit: FDP_PST_EXT.1

There are no auditable events foreseen.

FDP_PST_EXT.1 Storage of Persistent Information

Hierarchical to:No other components.
Dependencies to: No dependencies.

FDP_PST_EXT.1.1

The TSF shall provide the capability to operate without storing persistent data to the file system with the following exceptions: [assignment: data that the TSF must store persistently].

Appendix D - Entropy Documentation and Assessment

The TOE does not require any additional supplementary information to describe its entropy sources beyond the requirements outlined in the Base-PP.

Appendix E - Acronyms

Table 5: Acronyms
AcronymMeaning
Base-PPBase Protection Profile
CCCommon Criteria
CEMCommon Evaluation Methodology
cPPCollaborative Protection Profile
CRLCertificate Revocation List
CSRFCross-Site Request Forgery
EPExtended Package
FPFunctional Package
GPUGraphics Processing Unit
HSTSHTTP Strict Transport Security
HTMLHyperText Markup Language
HTTPHyperText Transfer Protocol
HTTPSHyperText Transfer Protocol Secure
IETFInternet Engineering Task Force
IPCInter-Process Communication
OCSPOnline Certificate Status Protocol
OEOperational Environment
PDFPortable Document Format
PPProtection Profile
PP-ConfigurationProtection Profile Configuration
PP-ModuleProtection Profile Module
SaaSSoftware as a Service
SARSecurity Assurance Requirement
SFRSecurity Functional Requirement
STSecurity Target
TLSTransport Layer Security
TOETarget of Evaluation
TSFTOE Security Functionality
TSFITSF Interface
TSSTOE Summary Specification
W3CWorld Wide Web Consortium
XSSCross-Site Scripting

Appendix F - Bibliography

Table 6: Bibliography
IdentifierTitle
[App PP] Protection Profile for Application Software, Version 2.0, TBD URL/Date needs to be updated once the APP-PP-2.0 is released.
[CC]Common Criteria for Information Technology Security Evaluation -
[CEM]Common Methodology for Information Technology Security Evaluation -