Closed
Bug 1122735
Opened 10 years ago
Closed 9 months ago
Warn about changes to security headers
Categories
(addons.mozilla.org Graveyard :: Add-on Validation, defect)
addons.mozilla.org Graveyard
Add-on Validation
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
2015-02
People
(Reporter: kmag, Unassigned)
Details
(Whiteboard: [ReviewTeam:P1])
There are a number of add-ons which have been attempting to change HTTP security headers in unsafe ways. We should warn whenever an add-on attempts to set the values of any of the following response headers:
Access-Control-Allow-Credentials
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
Access-Control-Expose-Headers
Access-Control-Max-Age
(Possibly just Access-Control-*)
Content-Security-Policy
Content-Security-Policy-Report-Only
Strict-Transport-Security
X-Content-Security-Policy
X-Frame-Options
And probably the following request headers as well:
Access-Control-Request-Headers
Access-Control-Request-Method
Origin
Referer
Reporter | ||
Updated•10 years ago
|
Whiteboard: [ReviewTeam] → [ReviewTeam:P1]
Reporter | ||
Updated•10 years ago
|
Target Milestone: --- → 2015-02
Updated•9 years ago
|
Assignee: nobody → mstriemer
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Updated•8 years ago
|
Assignee: mstriemer → nobody
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•