Closed Bug 1009696 Opened 10 years ago Closed 9 years ago

why do we whitelist paypal sandbox on -dev?

Tracking

(Not tracked)

Status:

RESOLVED WONTFIX

People

(Reporter: clouserw, Unassigned)

References

Details

Wil Clouser [:clouserw]

Reporter

Description

•

10 years ago

In our CSP rules we whitelist sandbox.paypal.com for frame-src[1].  This is fine if we need it, but dveditz noticed we aren't whitelisting paypal in our production service.  When we turn on production CSP are we going to wish we were?

tl;dr:  Does paypal on AMO use frames and we need to whitelist it in CSP?


[1] https://github.com/mozilla/olympia/blob/master/sites/dev/settings_addons.py#L18

Andy McKay

Comment 1

•

10 years ago

Yes, we should whitelist it in the CSP on prod, paypal opens an iframe to start the payment flow.

Wil Clouser [:clouserw]

Reporter

Updated

•

10 years ago

Blocks: 594584

Andy McKay

Comment 2

•

9 years ago

We'll address this in https://github.com/mozilla/olympia/issues/995.

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → WONTFIX

Nobody; OK to take it and work on it

Assignee

Updated

•

8 years ago

Product: addons.mozilla.org → addons.mozilla.org Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

why do we whitelist paypal sandbox on -dev?

Categories

(addons.mozilla.org Graveyard :: Code Quality, defect)

Tracking

(Not tracked)

People

(Reporter: clouserw, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Comment 2

Updated