Closed Bug 1050350 Opened 11 years ago Closed 11 years ago

Stop allowing insecure CSP resources in webpay production

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P2)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Version:
Avenir
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kumar, Assigned: andy+bugzilla)

Details

Webpay has this line in its base settings which means it will apply to production: # When running in DEBUG mode, we assume you are running locally # and are not using SSL. If that's the case, resources might load # as http too. if DEBUG: for key in ('CSP_IMG_SRC', 'CSP_MEDIA_SRC', 'CSP_SCRIPT_SRC'): values = locals()[key] new = [] for value in values: if value.startswith('https://'): new.append(value.replace('https://', 'http://')) locals()[key] = tuple(list(values) + new) https://github.com/mozilla/webpay/blob/master/webpay/settings/base.py#L326-L336 The reason it applies to prod is that when the base settings file is executed, DEBUG is always True. There is no reason why we should allow HTTP resources via CSP in production.
Assignee: nobody → amckay
Priority: -- → P2
https://github.com/mozilla/webpay/pull/551
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
STR: curl -I https://[server you are testing it on]/mozpay/ ensure that there is no http:// in the Content-Security-Policy-Report-Only section.
You need to log in before you can comment on or make changes to this bug.