Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turn on CSP #995

Closed
magopian opened this issue Nov 27, 2015 · 19 comments

Comments

@magopian
Copy link
Contributor

commented Nov 27, 2015

This is something we keep thinking about, and then forgetting. @muffinresearch care to give a few hints and tips on this one? Advices or pointers on how to do that? Any idea how big a project it is?

@andymckay

This comment has been minimized.

Copy link

commented Dec 16, 2015

@muffinresearch

This comment has been minimized.

Copy link
Member

commented Dec 16, 2015

The config should already be in place - so it just needs updating based on testing.

The biggest impact will be the potential for blocking something that matters. The best way to deal with that is going to be to turn-it on for real in local dev and maybe addons-dev initially. Look for blocked scripts and iterate on the config until everything works.

Once we have that working we can go to stage and have QA do similar checks. It's going to be a similar process to dealing with jquery-migrate. For that reason we shouldn't do both at the same time.

The only other thing is working out where reports should go - we probably want @amuntner to chime in on that.

@andymckay

This comment has been minimized.

Copy link

commented Dec 16, 2015

@jvehent

This comment has been minimized.

Copy link

commented Dec 16, 2015

FYI, we're working on generalizing the reporting and deduplication pipeline for cloud services. I'd suggest using the same reporting method @Micheletto put in place for Hello, which uses a report URI in Nginx and feeds into Heka. (cc @jasonthomas)

@andymckay

This comment has been minimized.

Copy link

commented Dec 16, 2015

We ddos'ed ourselves last time due to https://bugzilla.mozilla.org/show_bug.cgi?id=615708. Just so you know.

@jvehent

This comment has been minimized.

Copy link

commented Dec 17, 2015

@andymckay Are you suggesting that sending reports to the same origin might induce a ddos risk?

@andymckay-limited-access

This comment has been minimized.

Copy link
Contributor

commented Dec 17, 2015

It has in the past, which is why it was never turned on. Would like to
avoid that again.

On Thu, Dec 17, 2015 at 10:19 AM, Julien Vehent [:ulfr] <
notifications@github.com> wrote:

@andymckay https://github.com/andymckay Are you suggesting that sending
reports to the same origin might induce a ddos risk?


Reply to this email directly or view it on GitHub
#995 (comment).

@andymckay

This comment has been minimized.

Copy link

commented Jan 8, 2016

Tracker #1244

@april

This comment has been minimized.

Copy link

commented Jan 11, 2016

I'm certainly willing to provide assistance on CSP as well, if anybody has any questions. Just let me know! :)

@muffinresearch

This comment has been minimized.

Copy link
Member

commented Jan 21, 2016

I should also note that IE8 is past its EOL date, so I don't think we're generally too concerned about supporting it from a security perspective outside of bedrock as it is.

Hah, yes good point!

@muffinresearch

This comment has been minimized.

Copy link
Member

commented Jan 22, 2016

OK I've fIled the following ops tickets re the headers.

Update: this is now superceded by #1511 since we are setting other related headers in django already.

@muffinresearch

This comment has been minimized.

Copy link
Member

commented Feb 1, 2016

Here's an etherpad with some qa notes: https://public.etherpad-mozilla.org/p/csp-qa-addons

@muffinresearch

This comment has been minimized.

Copy link
Member

commented Feb 2, 2016

Ok so latest update the report-only mode is back for another week so we can clear up the last remaining issues.

@ValentinaPC

This comment has been minimized.

Copy link

commented Oct 25, 2017

This can be marked as verified fixed because all related bugs were verified or superseded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.