Warn about changes to security headers

NEW
Unassigned

Status

4 years ago
a year ago

People

(Reporter: kmag, Unassigned)

Tracking

unspecified
2015-02

Details

(Whiteboard: [ReviewTeam:P1])

(Reporter)

Description

4 years ago
There are a number of add-ons which have been attempting to change HTTP security headers in unsafe ways. We should warn whenever an add-on attempts to set the values of any of the following response headers:

Access-Control-Allow-Credentials
Access-Control-Allow-Headers
Access-Control-Allow-Methods
Access-Control-Allow-Origin
Access-Control-Expose-Headers
Access-Control-Max-Age
(Possibly just Access-Control-*)
Content-Security-Policy
Content-Security-Policy-Report-Only
Strict-Transport-Security
X-Content-Security-Policy
X-Frame-Options

And probably the following request headers as well:

Access-Control-Request-Headers
Access-Control-Request-Method
Origin
Referer
(Reporter)

Updated

4 years ago
Whiteboard: [ReviewTeam] → [ReviewTeam:P1]
(Reporter)

Updated

4 years ago
Target Milestone: --- → 2015-02
Assignee: nobody → mstriemer
(Assignee)

Updated

3 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Assignee: mstriemer → nobody
You need to log in before you can comment on or make changes to this bug.