Closed Bug 1122735 Opened 10 years ago Closed 9 months ago

Warn about changes to security headers

Categories

(addons.mozilla.org Graveyard :: Add-on Validation, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE
2015-02

People

(Reporter: kmag, Unassigned)

Details

(Whiteboard: [ReviewTeam:P1])

There are a number of add-ons which have been attempting to change HTTP security headers in unsafe ways. We should warn whenever an add-on attempts to set the values of any of the following response headers: Access-Control-Allow-Credentials Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age (Possibly just Access-Control-*) Content-Security-Policy Content-Security-Policy-Report-Only Strict-Transport-Security X-Content-Security-Policy X-Frame-Options And probably the following request headers as well: Access-Control-Request-Headers Access-Control-Request-Method Origin Referer
Whiteboard: [ReviewTeam] → [ReviewTeam:P1]
Target Milestone: --- → 2015-02
Assignee: nobody → mstriemer
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Assignee: mstriemer → nobody
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.