Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn on CSP #1660

Closed
magopian opened this issue Nov 27, 2015 · 19 comments · Fixed by mozilla/addons-server#1550
Closed

Turn on CSP #1660

magopian opened this issue Nov 27, 2015 · 19 comments · Fixed by mozilla/addons-server#1550
Assignees
@muffinresearch
Labels
repository:addons-server Issue relating to addons-server

Comments

@magopian
Copy link
Contributor

This is something we keep thinking about, and then forgetting. @muffinresearch care to give a few hints and tips on this one? Advices or pointers on how to do that? Any idea how big a project it is?
@andymckay
Copy link

See https://bugzilla.mozilla.org/show_bug.cgi?id=594584 for old information.

@muffinresearch
Copy link
Contributor

The config should already be in place - so it just needs updating based on testing.

The biggest impact will be the potential for blocking something that matters. The best way to deal with that is going to be to turn-it on for real in local dev and maybe addons-dev initially. Look for blocked scripts and iterate on the config until everything works.

Once we have that working we can go to stage and have QA do similar checks. It's going to be a similar process to dealing with jquery-migrate. For that reason we shouldn't do both at the same time.

The only other thing is working out where reports should go - we probably want @amuntner to chime in on that.

@andymckay
Copy link

Make sure this works in docker: https://bugzilla.mozilla.org/show_bug.cgi?id=1210633

@jvehent
Copy link

jvehent commented Dec 16, 2015

FYI, we're working on generalizing the reporting and deduplication pipeline for cloud services. I'd suggest using the same reporting method @Micheletto put in place for Hello, which uses a report URI in Nginx and feeds into Heka. (cc @jasonthomas)

@andymckay
Copy link

We ddos'ed ourselves last time due to https://bugzilla.mozilla.org/show_bug.cgi?id=615708. Just so you know.

@jvehent
Copy link

jvehent commented Dec 17, 2015

@andymckay Are you suggesting that sending reports to the same origin might induce a ddos risk?

@andymckay-limited-access
Copy link

It has in the past, which is why it was never turned on. Would like to
avoid that again.

On Thu, Dec 17, 2015 at 10:19 AM, Julien Vehent [:ulfr] <
notifications@github.com> wrote:

@andymckay https://github.com/andymckay Are you suggesting that sending
reports to the same origin might induce a ddos risk?


Reply to this email directly or view it on GitHub
https://github.com/mozilla/olympia/issues/995#issuecomment-165536899.

@andymckay andymckay mentioned this issue May 3, 2024
Closed
@andymckay
Copy link

Tracker #2282

This was referenced May 3, 2024
Closed
Closed
Closed
Closed
@april
Copy link

april commented Jan 11, 2016

I'm certainly willing to provide assistance on CSP as well, if anybody has any questions. Just let me know! :)

This was referenced Jan 12, 2016
Closed
Closed
This was referenced Jan 12, 2016
Closed
Closed
Closed
Closed
Closed
This was referenced May 3, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced May 3, 2024
Closed
Closed
@muffinresearch muffinresearch mentioned this issue Jan 26, 2016
Closed
@wagnerand wagnerand mentioned this issue May 3, 2024
Closed
@muffinresearch muffinresearch mentioned this issue Jan 29, 2016
Merged
@muffinresearch muffinresearch self-assigned this Jan 29, 2016
@kewisch kewisch mentioned this issue May 3, 2024
Closed
@muffinresearch
Copy link
Contributor

Here's an etherpad with some qa notes: https://public.etherpad-mozilla.org/p/csp-qa-addons

This was referenced Feb 2, 2016
Closed
Closed
Closed
@andymckay andymckay mentioned this issue Feb 2, 2016
Closed
@muffinresearch muffinresearch reopened this Feb 2, 2016
@muffinresearch
Copy link
Contributor

Ok so latest update the report-only mode is back for another week so we can clear up the last remaining issues.

@april april mentioned this issue Feb 2, 2016
Closed
@muffinresearch muffinresearch mentioned this issue Feb 3, 2016
Merged
@vcarciu vcarciu mentioned this issue May 3, 2024
Closed
@ValentinaPC ValentinaPC mentioned this issue Feb 5, 2016
Closed
@ValentinaPC
Copy link

This can be marked as verified fixed because all related bugs were verified or superseded.

Closed
@KevinMind KevinMind added repository:addons-server Issue relating to addons-server and removed state:verified_fixed qa:extra labels Mar 22, 2024
@KevinMind KevinMind transferred this issue from mozilla/addons-server Mar 22, 2024
@muffinresearch muffinresearch mentioned this issue May 3, 2024
Closed
@andymckay andymckay mentioned this issue Feb 2, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@muffinresearch muffinresearch

Labels
repository:addons-server Issue relating to addons-server
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enforce CSP on prod + stage muffinresearch/addons-server
8 participants
@muffinresearch @andymckay @magopian @april @jvehent @andymckay-limited-access @ValentinaPC @KevinMind