Clean up the top level of Web/Security

[wbamberg]

This is a component of https://github.com/orgs/mdn/discussions/802, but more narrowly focused.

One aspect of organizing the Web/Security docs is dealing with the pages in the top level that aren't the top level of a section (as, for instance, Attacks and Authentication are). Currently there is a random collection of pages in the top level. The purpose of this discussion item is to go through these pages and decide where to put them.

The relevant pages are:

Firefox security guidelines
Insecure passwords
Transport Layer Security (TLS)
Mixed content
Same-origin policy
Certificate Transparency
Subresource Integrity
Features gated by user activation
IFrame credentialless
Referer header: Privacy and security concerns
Weak signature algorithms
Secure contexts

Defenses

One main piece of the proposal is to have a new top level category called "Defenses", to sit alongside "Attacks". This category contains pages that describe web platform features that are designed to provide a defense against one or more attacks. These are "Explanations" in Diátaxis terms, aka "the only kind of documentation that it might make sense to read in the bath". Which means they're broader and more discursive than, say, the "Defenses" sections of our "Attacks" articles, which are all about How to employ one of these features to counter a particular threat.

We think quite a few of these pages fit reasonably in such a category:

Transport Layer Security (TLS)
Same-origin policy
Subresource Integrity
Features gated by user activation (but rename to "User activation")
Secure contexts

The rest

The other pages need different solutions.

Firefox security guidelines	This seems to be a set of very high level security guidelines for writing Firefox code. A lot of it is extremely generic and not applicable to web development (e.g. C++ dangerous functions) Can we just retire this guide? Is it that useful for web developers?
Insecure passwords	Redirect to the new passwords guide.
Mixed content	Integrate into the TLS guide.
Certificate Transparency	Most of this is not relevant to web devs. Boil it down to a paragraph or two in the TLS guide.
IFrame credentialless	This is a bit tricky. It's quite a niche topic (using COEP with third-party content). We could add it into the COEP page? Or we could write a new COEP guide to sit alongside the existing CORP guide.
Referer header: Privacy and security concerns	Move to Web/Privacy.
Weak signature algorithms	Delete, and redirect to https://developer.mozilla.org/en-US/docs/Glossary/Hash_function , which also contains this advice.

[wbamberg]

I'd be happy to get +1 on the easier ones, so I can get this work going, even if some others take a bit more discussion.

[chrisdavidmills]

I think this plan makes sense. Thanks for writing it up, @wbamberg. I'd be happy to give all of it a +1, with some caveats/discussion on a couple of the unsure items:

• Firefox security guidelines: This definitely doesn't belong on MDN, in the same way that other Firefox development stuff or WebKit/Chromium development stuff doesn't belong on MDN. I'd suggest asking someone in @Rumyra's team to find out who is responsible for https://firefox-source-docs.mozilla.org/index.html and pass it to whoever that is, asking if they can check it to see if it still contains any useful content and move it over if so (with a redirect). Maybe remove it after a timebox of a few weeks. If someone then decides they need some of it, they can still retrieve it from history.
• IFrame credentialless: Moving this into the HTTP guides to sit next to the CORP guide would work. I'd rather not have this included in a separate guide, as I think the current visibility is needed.

[wbamberg]

I think this plan makes sense. Thanks for writing it up, @wbamberg. I'd be happy to give all of it a +1, with some caveats/discussion on a couple of the unsure items:

• Firefox security guidelines: This definitely doesn't belong on MDN, in the same way that other Firefox development stuff or WebKit/Chromium development stuff doesn't belong on MDN. I'd suggest asking someone in @Rumyra's team to find out who is responsible for https://firefox-source-docs.mozilla.org/index.html and pass it to whoever that is, asking if they can check it to see if it still contains any useful content and move it over if so (with a redirect). Maybe remove it after a timebox of a few weeks. If someone then decides they need some of it, they can still retrieve it from history.

Yeah, that's fair. I did wonder about this but found it hard to see how it could realistically be used in Firefox still.

• IFrame credentialless: Moving this into the HTTP guides to sit next to the CORP guide would work. I'd rather not have this included in a separate guide, as I think the current visibility is needed.

I don't really agree with this, because I think it's an aspect of implementing COEP, so it has high coherence with the COEP guide (it only makes sense if you are implementing COEP, right?). But your suggestion unblocks me so I'm OK with it.

[chrisdavidmills]

I don't really agree with this, because I think it's an aspect of implementing COEP, so it has high coherence with the COEP guide (it only makes sense if you are implementing COEP, right?). But your suggestion unblocks me so I'm OK with it.

Hrm, looking at this again, I am a bit on the fence now. It definitely needs more of a mention on the COEP page and a link to the page; however, adding all this info to the COEP page would make it a bit heavy; it is also more guide-type information. I think ultimately, a new COEP guide incorporating it would be best, but move it for now and decide on this later?

[wbamberg]

I think ultimately, a new COEP guide incorporating it would be best, but move it for now and decide on this later?

Yeah, I totally agree with that!

[pransh15]

Hi @wbamberg, thanks for submitting this proposal. I like the new structure, I don't have any comments on where things go but I will share this discussion with the team and see if they would like to share any suggestions.

[wbamberg]

mdn/content#41942 deletes and redirects the Insecure passwords and Weak signature algorithms pages.

[wbamberg]

mdn/content#42158 creates "Defenses" and moves most of the top-level pages under it.

[wbamberg]

mdn/content#42192 moves "Referer" and "IFrame credentialless".