1033872 - split off api.accounts.firefox.com

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[[:mmc] Monica Chew (no longer reading bugmail)]

According to ckarlof, this domain is used for syncing in background soon after startup and probably more prone to captive portal violations. If violations are mostly on api.accounts.firefox.com, then that's ok.

Comment 1

[[:mmc] Monica Chew (no longer reading bugmail)]

Attachment: Split off api.accounts.firefox.com into a separate pinset (

Comment 2

[Dana Keeler (she/her) (use needinfo) (:keeler for reviews)]

Comment on attachment 8449906 [details] [diff] [review]
Split off api.accounts.firefox.com into a separate pinset (

Review of attachment 8449906 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/manager/boot/src/StaticHPKPins.h
@@ +710,5 @@
>    { "addons.mozilla.net", true, false, true, 2, &kPinset_mozilla },
>    { "addons.mozilla.org", true, false, true, 1, &kPinset_mozilla },
>    { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
>    { "android.com", true, false, false, -1, &kPinset_google_root_pems },
> +  { "api.accounts.firefox.com", true, true, false, 5, &kPinset_mozilla_fxa },

Should mIsMoz be true for this? (and accounts.firefox.com)
I guess it doesn't matter for hosts that actually have telemetry ids?

Comment 3

[[:mmc] Monica Chew (no longer reading bugmail)]

> Should mIsMoz be true for this? (and accounts.firefox.com)
> I guess it doesn't matter for hosts that actually have telemetry ids?

mIsMoz is pinset_name == "mozilla" which isn't true for these 2. Either way, for hosts that have ids we exclude them from the mozilla/non-mozilla volume and rate telemetry counts -- they only appear in the per-host counts.

Comment 4

[[:mmc] Monica Chew (no longer reading bugmail)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7c0af1873a74

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/7c0af1873a74