Skip to content
This repository has been archived by the owner. It is now read-only.

/ fxa-content-server Archived

add reverse-proxy for CSP violations #1426

Closed
warner opened this issue Jul 21, 2014 · 0 comments
Closed

add reverse-proxy for CSP violations #1426

warner opened this issue Jul 21, 2014 · 0 comments
Assignees
@shane-tomlinson
Labels
metrics
Milestone
FxA-0: quality

Comments

@warner
Copy link
Contributor

@warner warner commented Jul 21, 2014

When a Content Security Policy violation report URL lives in the same origin as the page which included the CSP header, the report will contain more information, which can be very helpful to track down what exactly is causing the problem. We're currently sending violation reports to a separate server (and will probably continue this in the future). To do both, we need to configure a reverse proxy, so CSP reports from e.g. https://accounts.stage.mozaws.net/signup can be reported to https://accounts.stage.mozaws/net/_/csp-violation and then get forwarded to https://fxa-csp-violations.stage.mozaws.net/_/csp-violation. We should probably build this as an nginx rule, but it could also be done with a route in the node.js server.

In stage/production we use the nginx configuration to deliver the CSP header anyways, so it's a good fit to use the nginx config for the reverse proxy too: it's easier to keep the header and the proxy in sync by having them live in the same config file.
@warner warner added the csp label Jul 21, 2014
@ckarlof ckarlof added this to the 2014 Q3 (Sep 30) milestone Jul 31, 2014
@ckarlof ckarlof modified the milestones: 2014 Q3 (Sep 30), train-21 (Sep 8), 2014 Q4 (Dec 31) Sep 4, 2014
@ckarlof ckarlof removed this from the 2014 Q4 (Dec 31) milestone Jun 8, 2015
@vladikoff vladikoff self-assigned this Oct 13, 2015
@vladikoff vladikoff added this to the FxA-0: quality milestone Oct 13, 2015
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Oct 15, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
Loading status checks…
5f6d657 
Fixes mozilla#1426
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Oct 15, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
Loading status checks…
3cd0c98 
Fixes mozilla#1426
@vladikoff vladikoff mentioned this issue Oct 15, 2015
Closed
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Oct 16, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
Loading status checks…
2e33ab6 
Fixes mozilla#1426
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Oct 27, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
2428fe3 
Fixes mozilla#1426
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Nov 3, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
Loading status checks…
37b83f3 
Fixes mozilla#1426
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Nov 4, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
Loading status checks…
647d027 
Fixes mozilla#1426
vladikoff added a commit to vladikoff/fxa-content-server that referenced this issue Nov 12, 2015
@vladikoff
feat(csp): enable report only CSP in prodiction
Loading status checks…
69ef16e 
Fixes mozilla#1426
vladikoff added a commit that referenced this issue Nov 13, 2015
@vladikoff Shane Tomlinson
feat(csp): enable report only CSP in prodiction
2fbe096 
Fixes #1426
@shane-tomlinson shane-tomlinson mentioned this issue Nov 13, 2015
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shane-tomlinson shane-tomlinson

Labels
metrics
Projects
None yet
Milestone
FxA-0: quality
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
@warner @vladikoff @shane-tomlinson @ckarlof