Closed Bug 1310118 Opened 8 years ago Closed 8 years ago

[observatory] snippets.cdn.mozilla.net (C)

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: Atoll)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3543]) 

We host this site on CloudFront. It currently scores a C:

HTTP Observatory Report: snippets.cdn.mozilla.net

Score Rule                           Description
  -25 content-security-policy        Content Security Policy (CSP) header not implemented.
  -20 redirection                    Does not redirect to an https site.
    0 cookies                        No cookies detected.
    0 cross-origin-resource-sharing  Content is not visible via cross-origin resource sharing (CORS) files or headers.
    0 public-key-pinning             HTTP Public Key Pinning (HPKP) header not implemented.
    0 contribute                     Contribute.json implemented with the required contact information.
    0 strict-transport-security      HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000).
    0 subresource-integrity          Subresource Integrity (SRI) is not needed since site contains no script tags.
    0 x-content-type-options         X-Content-Type-Options header set to "nosniff".
    0 x-frame-options                X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
    0 x-xss-protection               X-XSS-Protection header set to "1; mode=block".

Score: 55
Grade: C
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3543]
We are addressing the -20 redirection penalty in bug 1302420.

:giorgos, could you recommend to us an appropriate Content-Security-Policy for the content served by this site - or, may we facilitate a discussion between you (or someone you recommend) and a CSP expert from our websec team?
Flags: needinfo?(giorgos)
Assignee: server-ops-webops → rsoderberg
See Also: → 1058759
(In reply to Richard Soderberg [:atoll] from comment #1)
> :giorgos, could you recommend to us an appropriate Content-Security-Policy
> for the content served by this site - or, may we facilitate a discussion
> between you (or someone you recommend) and a CSP expert from our websec team?

We're already working on this and we'll be setting CSP headers in the origin.
Flags: needinfo?(giorgos)
(In reply to Giorgos Logiotatidis [:giorgos] from comment #2)
> (In reply to Richard Soderberg [:atoll] from comment #1)
> > :giorgos, could you recommend to us an appropriate Content-Security-Policy
> > for the content served by this site - or, may we facilitate a discussion
> > between you (or someone you recommend) and a CSP expert from our websec team?
> 
> We're already working on this and we'll be setting CSP headers in the origin.

Excellent! Could you link us to the bug or issue tracking that work?
(In reply to Richard Soderberg [:atoll] from comment #3)
> Excellent! Could you link us to the bug or issue tracking that work?

Here you go https://bugzilla.mozilla.org/show_bug.cgi?id=1311677
Awesome, thank you :) Closing this bug as WebOps has no remaining work, marking bug 1311677 as a dependency to keep tabs on it.
Status: NEW → RESOLVED
Closed: 8 years ago
Depends on: 1311677
Resolution: --- → FIXED
(There are now two dependent bugs that are both being worked on, one by us.)
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.