Closed
Bug 1310118
Opened 8 years ago
Closed 8 years ago
[observatory] snippets.cdn.mozilla.net (C)
Categories
(Infrastructure & Operations Graveyard :: WebOps: Other, task)
Infrastructure & Operations Graveyard
WebOps: Other
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Atoll, Assigned: Atoll)
References
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3543])
We host this site on CloudFront. It currently scores a C: HTTP Observatory Report: snippets.cdn.mozilla.net Score Rule Description -25 content-security-policy Content Security Policy (CSP) header not implemented. -20 redirection Does not redirect to an https site. 0 cookies No cookies detected. 0 cross-origin-resource-sharing Content is not visible via cross-origin resource sharing (CORS) files or headers. 0 public-key-pinning HTTP Public Key Pinning (HPKP) header not implemented. 0 contribute Contribute.json implemented with the required contact information. 0 strict-transport-security HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000). 0 subresource-integrity Subresource Integrity (SRI) is not needed since site contains no script tags. 0 x-content-type-options X-Content-Type-Options header set to "nosniff". 0 x-frame-options X-Frame-Options (XFO) header set to SAMEORIGIN or DENY. 0 x-xss-protection X-XSS-Protection header set to "1; mode=block". Score: 55 Grade: C
We are addressing the -20 redirection penalty in bug 1302420. :giorgos, could you recommend to us an appropriate Content-Security-Policy for the content served by this site - or, may we facilitate a discussion between you (or someone you recommend) and a CSP expert from our websec team?
Flags: needinfo?(giorgos)
Comment 2•8 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #1) > :giorgos, could you recommend to us an appropriate Content-Security-Policy > for the content served by this site - or, may we facilitate a discussion > between you (or someone you recommend) and a CSP expert from our websec team? We're already working on this and we'll be setting CSP headers in the origin.
Flags: needinfo?(giorgos)
(In reply to Giorgos Logiotatidis [:giorgos] from comment #2) > (In reply to Richard Soderberg [:atoll] from comment #1) > > :giorgos, could you recommend to us an appropriate Content-Security-Policy > > for the content served by this site - or, may we facilitate a discussion > > between you (or someone you recommend) and a CSP expert from our websec team? > > We're already working on this and we'll be setting CSP headers in the origin. Excellent! Could you link us to the bug or issue tracking that work?
Comment 4•8 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #3) > Excellent! Could you link us to the bug or issue tracking that work? Here you go https://bugzilla.mozilla.org/show_bug.cgi?id=1311677
Awesome, thank you :) Closing this bug as WebOps has no remaining work, marking bug 1311677 as a dependency to keep tabs on it.
(There are now two dependent bugs that are both being worked on, one by us.)
Updated•5 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•