Closed
Bug 1210569
Opened 9 years ago
Closed 7 years ago
Move bugzilla.mozilla.org to its own domain
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: sec-moderate)
In bug 918180, we decided that a well-known hole in the same origin policy [1] was a danger to Bugzilla. To prevent Bugzilla attachments from exploiting it, we moved attachments from *.bugzilla.mozilla.org to *.bmoattachments.org. But that's not sufficient to protect our instance of Bugzilla. We have XSS bugs in mozilla.org subdomains all the time [2], and most of these subdomains aren't even covered by our bug bounty [3]. Possible solutions, from most general to most expedient: A) Fix [1], for all sites (using a new CSP flag?), in all browsers B) Audit Bugzilla to ensure that [1] does not affect it badly C) Move bugzilla.mozilla.org its own domain (bugzil.la?) This bug is for (C). [1]
|
Reporter | |
Updated•9 years ago
|
Group: bugzilla-security
|
|
Reporter | |
Comment 1•9 years ago
|
||
[1] Redacted [2] https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20su%2Ckw%3Axss%20sw%2Curl%3Amozilla.org&order=bugs.bug_id%20desc&list_id=12584624 [3] https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs
while it would be ideal, mozilla doesn't own or manage the bugzil.la domain. reed - how do you feel about handing over the bugzil.la domain to moco?
Flags: needinfo?(reed)
|
||
Comment 3•9 years ago
|
||
Where do we discuss option B), the option of hardening Bugzilla against the problem [1]? If an adequate set of defences for a web app to protect itself from problems on different sites in the same domain do not actually exist, then that would surely mean that the browser makers need to take option A) ASAP? Gerv
For C), based on our recent work with etherpad, I suggest 'bugzilla-mozilla.org'. It's the same domain as before, just with a carefully placed - to work around cookie subdomain inheritance stuff. We can use the same SSL certificate for both b.m.o and b-m.o and redirect from the former to the latter, so that the ownership trail is clear and so on. And that way it's still BMO, and not just 'bugzilla'.
|
|
||
Comment 5•9 years ago
|
||
_How_ we do it is not so tricky; but perhaps we should resolve "if" first? :-) Gerv
|
||
Comment 6•9 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #2) > while it would be ideal, mozilla doesn't own or manage the bugzil.la domain. > reed - how do you feel about handing over the bugzil.la domain to moco? Let's chat OOB (IRC is fine) about this if that's a serious option. However, .LA ccTLD is not known for being the most stable, so operationally and security-wise, might be a concern.
Flags: needinfo?(reed)
|
||
Comment 7•7 years ago
|
||
It is not clear that bug 918180 was ever a danger to BMO. There are still risks associated with this domain setup, although many of them could be solved by using the __Host- prefix for our cookies. I'm going to mark this as WONTFIX, the cost of changing the domain is currently too high to justify.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•