Add security related headers to build.servo.org

[jarondl]

Add some headers to build.servo.org to improve our Mozilla Observatory
score. The helps the cause of #473, by raising our score from F (0) to a
whopping B- (65). The testing is still basic, the docker-observatory
based testing will go in a different PR.

To get to an A+ we must first implement https.

This is the local observatory report:

Score Rule                       Description
      -20 redirection                Does not redirect to an https site.
      -20 strict-transport-security  HTTP Strict Transport Security (HSTS)
        header cannot be set for sites not available over https.
       -5 contribute                 Contribute.json file missing from root
        of website.
        5 content-security-policy    Content Security Policy (CSP)
        implemented without 'unsafe-inline' or 'unsafe-eval'.
        5 x-frame-options            X-Frame-Options (XFO) implemented via
        the CSP frame-ancestors directive.

    Score: 65
    Grade: B-

---

This change is

[highfive]

Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @aneeshusa (or someone else) soon.

[aneeshusa]

@jarondl Can you point me to some documentation about the contribute.json file? I haven't heard of this and didn't see it on the observatory results.

[jarondl]

Yes, contribute.json is quite obscure. I have found out about it only when I've browsed through the observatory code to resolve some issues.
According to the observatory, only Mozilla related websites must have it, see for example:

https://observatory.mozilla.org/analyze.html?host=mozilla.org

The list of mozilla related sites is hard coded here: https://github.com/mozilla/http-observatory/blob/7dd04ff5b51e39698a8b683df33ef430b4ed4213/httpobs/conf/httpobs.conf#L33
and servo is not there, but in all fairness it should be. We should submit a PR to add it, and lower our grade from 70 to 65.

[jarondl]

I believe the tests have failed because buildbot is down in travis. This should be solved by #505, right?

[aneeshusa]

Buildbot immediately stops on Travis after being started (due to our fake test credentials not validating IIRC), which I don't have an easy fix for. In the meantime, I believe this is why I added the make_cors_request function in #375, since Nginx should still add the headers even though the status code indicates error (since Buildbot is down). Try adding/using that in this test.

[aneeshusa]

Sorry about the delay in reviewing. The headers themselves and the test case look good modulo a few nits, the Salt side needs a little more work.

[aneeshusa]

nit: mozilla -> Mozilla

[aneeshusa]

spelling: suit -> suite

[aneeshusa]

The options we're setting are fairly basic and IMO the headers are readable enough as is that we don't need an expository comment for each one.

[aneeshusa]

Use salt://{{ tpldir }}/files/https_headers.conf, and make a files subdir to put the config file in.

I'm not sure how well you know Salt, but we'll also want the /etc/nginx/conf.d state from #375 and some requisites to order things correctly/restart nginx automatically on config change. I can also take care of this if you'd like.

[aneeshusa]

This line is failing tidy because it is too long.

[aneeshusa]

style nit: leave a trailing comma after this last tuple, and put the closing ] by itself on the next line.

[aneeshusa]

spelling: securirty -> security

[aneeshusa]

Also, please open a separate issue about contribute.json to keep this PR about headers.

[jarondl]

Hi @aneeshusa , thanks for reviewing, I will work on it.

[aneeshusa]

I'm going to close this as it's been inactive for a while; anyone is welcome to pick this work up again.