Closed Bug 1052247 Opened 6 years ago Closed 3 years ago

FxAccountsOAuthClient should require HTTPS URLs

Categories

(Firefox :: Firefox Accounts, defect, P2)

defect

Tracking

()

RESOLVED FIXED
Firefox 58
Tracking Status
firefox58 --- fixed

People

(Reporter: MattN, Assigned: tcsc)

References

Details

Attachments

(1 file)

We should enforce at the FxAccountsOAuthClient level that OAuth is done over HTTPS, not HTTP.
I don't disagree. One note: we enforce HTTPS the FxA Auth URL in the browser without any easy way to override, and it's a PITA to do dev against a local HTTP server. It would be nice to have a pref to disable that enforcement.
Yeah, we will need a way to override it since XPCShell tests still don't allow HTTPS test servers (bug that is bug 466524. browser-chrome and other suites support this already). For UITour we added a pref browser.uitour.requireSecure that is true by default but can be flipped to false for developers.
(In reply to Matthew N. [:MattN] from comment #2)
> Yeah, we will need a way to override it since XPCShell tests still don't
> allow HTTPS test servers (bug that is bug 466524. browser-chrome and other
> suites support this already). For UITour we added a pref
> browser.uitour.requireSecure that is true by default but can be flipped to
> false for developers.


A custom setting such as "requireSecure" would be awesome! 

Currently for FxA we have: http://mxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccounts.jsm#848

"Firefox Accounts server must use HTTPS"
Priority: -- → P2
Assignee: nobody → tchiovoloni
I'm not 100% sure if this was supposed to be via a new preference, or via same one mentioned in comment 3. I've assumed it's supposed to be a new one in this code.
Comment on attachment 8915313 [details]
Bug 1052247 - Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient.

https://reviewboard.mozilla.org/r/186508/#review191684

This looks fine, but as you guessed I might say, I see no need for a new preference - this is a "debug only" preference, so I think it's fine to have a single pref that applies everywhere and is one less thing to confuse other devs.
Attachment #8915313 - Flags: review?(markh)
Comment on attachment 8915313 [details]
Bug 1052247 - Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient.

https://reviewboard.mozilla.org/r/186508/#review192038

Thanks!
Attachment #8915313 - Flags: review?(markh) → review+
Pushed by tchiovoloni@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1858ac6e5128
Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient. r=markh
https://hg.mozilla.org/mozilla-central/rev/1858ac6e5128
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Product: Core → Firefox
Target Milestone: mozilla58 → Firefox 58
You need to log in before you can comment on or make changes to this bug.