Skip to content
This repository has been archived by the owner. It is now read-only.

/ fxa-content-server Archived

feat(server): Set security headers on all HTML pages. #4750

Merged
merged 5 commits into from Feb 24, 2017
Merged

feat(server): Set security headers on all HTML pages. #4750

merged 5 commits into from Feb 24, 2017

Conversation

@shane-tomlinson
Copy link
Member

@shane-tomlinson shane-tomlinson commented Feb 22, 2017
edited

@g-k - here's what I came up with today, not as bad as I expected.

What is the problem?

The 404 page didn't have x-frame-options, content-security-policy,
and x-robots-tag headers set.

How does this fix it?

Set up the frame-guard, csp, and noindex middlewares to set their
headers on every HTML response. This is done by wrapping existing
middlewares that only work with HTML responses in the onHeaders
middleware. Using the onHeaders middleware, check if the
content-type is HTML, and if so, call the original middleware to
set the header.

Why are all those tests updated?

I updated the unit tests of frame-guard, csp, and noindex to ignore
the onHeaders middleware. Additionally, since we know definitively
the response is HTML, the checks to see if the middleware is applicable
is no longer needed, except for CSP where no CSP headers are set for unit
tests. This allowed me to remove utils.js too.

The unit tests for the x-robots-tag is different, why?

The test for the x-robots tag was done for all "non-JSON" responses,
yet the middleware itself used to check whether the resource
was HTML. I went with the middleware's view of the world and moved
the x-robots-tag check to be done on every html page.

The unit tests also ditch the check for content-security-policy-report-only

Good eye. Those tests should have been failing. We have not served
the report-only header for quite a while, which leads me to believe that
the call to csp.isCspRequired was always returning false. Instead
of relying upon csp.isCspRequired, I encode whether CSP is expected
within the route declarations. Assume CSP is required for all HTML resources,
then add csp: false to those that do not.
@shane-tomlinson shane-tomlinson mentioned this pull request Feb 22, 2017
Closed
3 of 3 tasks complete
g-k and others added 5 commits Feb 16, 2017
@g-k Shane Tomlinson
fix(tests): return csp on 404 html page without .html in path
45cd9d2
@g-k Shane Tomlinson
feat(csp): try content type before path in isCspRequired
a48b38a
@g-k Shane Tomlinson
fix(server): add outbound CSP middleware
5e34bc1
@g-k Shane Tomlinson
fix(404): set content type to html for CSP middleware
243668f
Shane Tomlinson
feat(server): Set security headers on all HTML pages.
688a3f8 
What is the problem?
The 404 page didn't have x-frame-options, content-security-policy,
and x-robots-tag headers set.

How does this fix it?
Set up the frame-guard, csp, and noindex middlewares to set their
headers on *every* HTML response. This is done by wrapping existing
middlewares that only work with HTML responses in the `onHeaders`
middleware. Using the `onHeaders` middleware, check if the
content-type is HTML, and if so, call the original middleware to
set the header.

Why are all those tests updated?
I updated the unit tests of frame-guard, csp, and noindex to ignore
the onHeaders middleware. Additionally, since we know definitively
the response is HTML, the checks to see if the middleware is applicable
is no longer needed, except for CSP where no CSP headers are set for unit
tests. This allowed me to remove utils.js too.

The unit tests for the x-robots-tag is different, why?
The test for the x-robots tag was done for all "non-JSON" responses,
yet the middleware itself used to check whether the resource
was HTML. I went with the middleware's view of the world and moved
the x-robots-tag check to be done on every html page.

The unit tests also ditch the check for `content-security-policy-rport-only`
Good eye. Those tests *should have been failing*. We have not served
the report-only header for quite a while, which leads me to believe that
the call to csp.isCspRequired was always returning `false`. Instead
of relying upon `csp.isCspRequired`, I encode whether CSP is expected
within the route declarations. Assume CSP is required for all HTML resources,
then add `csp: false` to those that do not.
@shane-tomlinson shane-tomlinson force-pushed the add-csp-to-404-page-shane branch from c259c61 to 688a3f8 Feb 23, 2017
@shane-tomlinson shane-tomlinson removed their assignment Feb 23, 2017
@shane-tomlinson
Copy link
Member Author

@shane-tomlinson shane-tomlinson commented Feb 23, 2017

@mozilla/fxa-devs - r?

@rfk - can you verify that I didn't break the x-robots-tag work you did? More info in the PR comment.
@shane-tomlinson shane-tomlinson changed the title Add csp to 404 page shane feat(server): Set security headers on all HTML pages. Feb 23, 2017
@shane-tomlinson shane-tomlinson requested a review from rfk Feb 23, 2017
@rfk
rfk approved these changes Feb 23, 2017
View changes
Copy link
Member

@rfk rfk left a comment

Looks fine to me
@shane-tomlinson shane-tomlinson merged commit 878b694 into master Feb 24, 2017
4 checks passed
4 checks passed
ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 98.347%
Details
@shane-tomlinson shane-tomlinson deleted the add-csp-to-404-page-shane branch Feb 24, 2017
@rfk rfk added this to the FxA-0: quality milestone Mar 16, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rfk rfk

Assignees

@rfk rfk

Labels
None yet
Projects
None yet
Milestone
FxA-0: quality
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
@shane-tomlinson @rfk @g-k