Closed Bug 1139119 Opened 11 years ago Closed 10 years ago

Enable strict CSP on hello.firefox.com

Categories

(Cloud Services :: Operations: Deployment Requests - DEPRECATED, task)

Product:
Cloud Services
Component:
Operations: Deployment Requests - DEPRECATED
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: jvehent, Assigned: jschneider)

References

Details

Attachments

(2 files, 3 obsolete files)

Nginx CSP config change for loop client
989 bytes, patch
Details | Diff | Splinter Review
Add basic CSP to dev server
3.92 KB, patch
Details | Diff | Splinter Review
Hello Client should have a strict CSP policy to prevent a wide range of web attacks. The policy is currently set to "Content-Security-Policy: frame-ancestors 'self'" and should at least include "default-src 'self';".
Based on the CSP we use for the desktop client, I think the following policy is approximately correct for hello.firefox.com, at least for the near-term: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net
Component: Client → Server
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Status: REOPENED → NEW
Updating the component, this work needs to be done on loop-webapp nginx rules.
Component: Server → Operations: Deployment Requests
Product: Loop → Mozilla Services
John -- this appears to have slipped between the cracks. What can I do to help move it up in the priority list?
Flags: needinfo?(jrgm)
:abr - uh, did you mean Julien, :ulfr? I'm all in favour of getting CSP in, but I haven't worked directly with fmd.
Flags: needinfo?(jrgm)
(In reply to John Morrison [:jrgm] from comment #5) > :abr - uh, did you mean Julien, :ulfr? > > I'm all in favour of getting CSP in, but I haven't worked directly with fmd. Sorry, I just looked at who tended to handle bugs on this component. I'm trying to track down who should own this now. :)
Travis, can we get somebody on this ASAP please?
Flags: needinfo?(tblow)
I'll find an owner to add the policy to the webapp. It should be done by the devs, not set on the ops side.
Flags: needinfo?(tblow)
Based on the current state of the standalone client, we're going to need something more permissive than the desktop client. In particular: due to our use of GA and Optimizely, we'll need to whitelist them for scripts, and allow inline and eval scripts. This isn't awesome, but it's an improvement over having no CSP in place. frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com
The attached PR should enable this policy. It need to go through security testing and QA before being promoted to production, as this is likely to break stuff!
Adding the patch directly since most people on this bug don't have access to the private github repo.
Attachment #8670413 - Attachment is obsolete: true
Taking this bug.
Assignee: nobody → bobm
Status: NEW → ASSIGNED
QA Contact: rpappalardo
Deployed to staging. :rpapa please test when possible.
I've just happened to be attempting to test something on stage, and the CSP doesn't work for me. I'm not sure why it did for Richard. I'm getting: Content Security Policy: The page's settings blocked the loading of a resource at https://call.stage.mozaws.net/l10n/en-US/loop.properties ("connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net"). <unknown> GET https://call.stage.mozaws.net/shared/libs/sdk-content/js/dynamic_config.min.js [HTTP/1.1 304 Not Modified 31ms] Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://call.stage.mozaws.net"). nGow_BVQd_c Content Security Policy: The page's settings blocked the loading of a resource at https://www.google-analytics.com/collect?v=1&_v=j39&aip=1&a=712999120&t=pageview&_s=1&dl=https%3A%2F%2Fcall.stage.mozaws.net%2Fconversation%2F&ul=en-us&de=UTF-8&dt=Link%20Clicker&sd=24-bit&sr=1920x1200&vp=1440x476&je=0&fl=19.0%20r0&_u=QACAAEABI~&jid=&cid=126134665.1422875451&tid=UA-36116321-15&z=621772878 ("img-src https://call.stage.mozaws.net data: https://www.gravatar.com/"). I think we actually want two policies, one for stage, one for production - due to the different servers being used. The stage one should probably be: add_header Content-Security-Policy "frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com https://*.mozaws.net wss://*.mozaws.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com"; and the production one should be: add_header Content-Security-Policy "frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.com https://*.firefox.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com"; Adam, can you double-check these are right please?
Flags: needinfo?(adam)
Puppet uses the same configuration file for stage and prod. I think we should keep it that way, and make a single policy that works for both environments, to avoid finding surprises when we ship to prod.
(In reply to Mark Banner (:standard8) from comment #14) > I've just happened to be attempting to test something on stage, and the CSP > doesn't work for me. I'm not sure why it did for Richard. I'm getting: > > Content Security Policy: The page's settings blocked the loading of a > resource at https://call.stage.mozaws.net/l10n/en-US/loop.properties > ("connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net"). <unknown> > GET > https://call.stage.mozaws.net/shared/libs/sdk-content/js/dynamic_config.min. > js [HTTP/1.1 304 Not Modified 31ms] > Content Security Policy: The page's settings blocked the loading of a > resource at self ("default-src https://call.stage.mozaws.net"). nGow_BVQd_c > Content Security Policy: The page's settings blocked the loading of a > resource at > https://www.google-analytics.com/ > collect?v=1&_v=j39&aip=1&a=712999120&t=pageview&_s=1&dl=https%3A%2F%2Fcall. > stage.mozaws.net%2Fconversation%2F&ul=en-us&de=UTF-8&dt=Link%20Clicker&sd=24- > bit&sr=1920x1200&vp=1440x476&je=0&fl=19. > 0%20r0&_u=QACAAEABI~&jid=&cid=126134665.1422875451&tid=UA-36116321- > 15&z=621772878 ("img-src https://call.stage.mozaws.net data: > https://www.gravatar.com/"). > > I think we actually want two policies, one for stage, one for production - > due to the different servers being used. > > The stage one should probably be: > > add_header Content-Security-Policy "frame-ancestors 'self'; default-src > 'self'; img-src 'self' data: https://www.gravatar.com/; font-src 'none'; > connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > https://*.mozaws.net wss://*.mozaws.net; script-src 'self' 'unsafe-inline' > 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com"; > > and the production one should be: > > add_header Content-Security-Policy "frame-ancestors 'self'; default-src > 'self'; img-src 'self' data: https://www.gravatar.com/; font-src 'none'; > connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozilla.com https://*.firefox.com; script-src > 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com > https://www.google-analytics.com"; > > Adam, can you double-check these are right please? Looking at what's going on here, I think we want to simply add "https://*.mozaws.net/" to the connect-src list. In order for GA to not break, we'll also need to add https://www.google-analytics.com to img-src. I'll note that the 'unsafe-inline' and 'unsafe-eval' directives here were added based on a belief that GA required them to be present. I've run some experiments to determine exactly what GA does to require these directives, and have discovered that I can at least load the GA script (and see a 'page hit' beacon fire) without having either. Based on that research, I'm going to suggest we pull 'unsafe-eval' from the CSP string. We can't pull 'unsafe-inline' quite yet, due to the use of script inlining in our own client. I have filed Bug 1212428 to address that issue. For the time being, we can test out a CSP of: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; script-src 'self' 'unsafe-inline' https://cdn.optimizely.com https://www.google-analytics.com Once Bug 1212428 lands, we can remove the 'unsafe-inline' directive, and run through our tests to make sure everything works.
Depends on: 1212428
Flags: needinfo?(adam)
On further playing around with GA, I've found that the tracking dot sometimes comes from google-analytics.com, and sometimes from doubleclick.com (e.g., I've seen requests of the form https://stats.g.doubleclick.net/r/collect?...") Revised proposal: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; script-src 'self' 'unsafe-inline' https://cdn.optimizely.com https://www.google-analytics.com
(In reply to Adam Roach [:abr] from comment #17) > frame-ancestors 'self'; default-src 'self'; img-src 'self' data: > https://www.gravatar.com/ https://www.google-analytics.com > https://stats.g.doubleclick.net; font-src 'none'; connect-src > wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net > https://*.mozaws.net; script-src 'self' 'unsafe-inline' > https://cdn.optimizely.com https://www.google-analytics.com This version has been deployed to staging. :rpapa please test.
May I suggest that you set the production config to use `Content-Security-Policy-Report-Only` and set up a reporting endpoint and then analyze what is reported over a release cycle or two. The alternative is to be silently broken by just going all in on the first go.
I agree. I don't think we have a generic service for catching and analyzing those violations today (format of the report is documented at http://www.w3.org/TR/CSP/#violation-reports). Yvan: That looks like something your team should handle. Any thoughts?
Flags: needinfo?(yboily)
(In reply to Bob Micheletto [:bobm] from comment #18) > (In reply to Adam Roach [:abr] from comment #17) > > frame-ancestors 'self'; default-src 'self'; img-src 'self' data: > > https://www.gravatar.com/ https://www.google-analytics.com > > https://stats.g.doubleclick.net; font-src 'none'; connect-src > > wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > > wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net > > https://*.mozaws.net; script-src 'self' 'unsafe-inline' > > https://cdn.optimizely.com https://www.google-analytics.com > Thanks, Bob. I've tested this on stage and still getting a blank page on URL test calls. > This version has been deployed to staging. :rpapa please test.
That last version is giving: Error: call to eval() blocked by CSP Based on comment 9 and comment 14, I think comment 17 should have given: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com which adds the unsafe-eval option.
(In reply to Mark Banner (:standard8) from comment #22) > which adds the unsafe-eval option. Actually, I removed that on purpose, and was hoping that we could remove 'unsafe-inline' when Bug 1212428 lands. Where is the eval() coming from? If it's our code, we need to figure out how to remove it. If it's in Google's code, I need to start a conversation with our security folks.
Flags: needinfo?(standard8)
(In reply to Mark Banner (:standard8) from comment #22) > That last version is giving: > > Error: call to eval() blocked by CSP > > Based on comment 9 and comment 14, I think comment 17 should have given: > > frame-ancestors 'self'; default-src 'self'; img-src 'self' data: > https://www.gravatar.com/ https://www.google-analytics.com > https://stats.g.doubleclick.net; font-src 'none'; connect-src > wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net > https://*.mozaws.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' > https://cdn.optimizely.com https://www.google-analytics.com > > which adds the unsafe-eval option. Rolled this version into stage for testing purposes.
Thanks, Bob. I've tested this on stage, but it looks even with the unsafe eval(), some things are broken: [1]. FxA contacts tab is missing [2]. Conversation window (on Nightly) comes up blank Note: these were working with stage deployment of 0.20.2 just prior (without CSP)
(In reply to Richard Pappalardo [:rpapa][:rpappalardo] from comment #25) > Thanks, Bob. I've tested this on stage, but it looks even with the unsafe > eval(), some things are broken: > [1]. FxA contacts tab is missing That's part of a big rework we are currently doing which removes direct calls & contacts. > [2]. Conversation window (on Nightly) comes up blank The panel and conversation window are totally separate from the staging deploy of loop-client. There's nothing on the loop-client part of the server that can affect them. The conversation window is working fine for me here. > Note: these were working with stage deployment of 0.20.2 just prior (without > CSP) I suspect a nightly update might have affected you in-between. The staging page now works for me with the unsafe-eval in, I'll go and see if I can hunt down where the eval has come from.
(In reply to Adam Roach [:abr] from comment #23) > (In reply to Mark Banner (:standard8) from comment #22) > > which adds the unsafe-eval option. > > Actually, I removed that on purpose, and was hoping that we could remove > 'unsafe-inline' when Bug 1212428 lands. Where is the eval() coming from? If > it's our code, we need to figure out how to remove it. If it's in Google's > code, I need to start a conversation with our security folks. Ok, I've spent a bit of time looking around. It looks like the eval() is something to do with the webpack concatenation that we've just added. I setup the CSP for a local test server without the unsafe-eval option, and it worked fine with our unpreprocessed code. Processing the code for concatenation, then caused the eval issue to be triggered. However, I can't yet find what is introducing this - the only thing I found was https://github.com/facebook/react-devtools/issues/134 which implies issues for a devtool extension within webpack, but we're not using that (and I tried switching it to a non-eval version as well). Dan, have you got any ideas here?
Flags: needinfo?(standard8) → needinfo?(dmose)
Yes, I think to fix this we'll need to get rid of the uses of the "script" loader in webappEntryPoints.js as well as tweak some config stuff. This may or may not be easy; I'm still experimenting... More as I figured it out.
Flags: needinfo?(dmose)
Flags: needinfo?(dmose)
Attached patch Add basic CSP to dev server (obsolete) — Splinter Review
In order to debug this, I added a basic CSP to the standalone server so that I could actually develop in an environment more similar to production. The csp here is based on the one from comment 17. I'm spinning off another bug for fixing the unsafe-eval stuff; it will block this one. I'm uploading this patch, because while the csp here works on Firefox, it has various problems on Chrome. When we get cross browser functional tests, they will catch this sort of problem. It'd be great if we could put the CSP in a file somewhere and have the standalone server policy and the production puppet stuff generated all from a single source so that we catch any CSP-issues as we're developing.
Flags: needinfo?(dmose)
A reporting only configuration has been deployed to stage and is awaiting testing.
Flags: needinfo?(rpappalardo)
Attached patch Add basic CSP to dev server (obsolete) — Splinter Review
Updated to function on both Firefox and Chrome. Exactly how close this is to what we should actually deploy is unclear to me, but it's useful for testing CSP stuff in the development rig.
Attachment #8674529 - Attachment is obsolete: true
Note that this patch also forces both GA and optimizely to load by https in both production and dev, which I assume is a reasonable choice.
Added 'unsafe-eval' since optimizely still seems to need it, at least some of the time
Attachment #8679137 - Attachment is obsolete: true
Bob, for the 0.21.0 deploy, please could we update the CSP to: add_header Content-Security-Policy-Report-Only "frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; report-uri /CSP/"; There's a few extra things here for the frame-src, media-src and style-src that I've taken from Dan's dev server patch and should reduce the false positives on the initial reporting version, hopefully giving us better confidence that its right.
Flags: needinfo?(bobm)
(In reply to Mark Banner (:standard8) from comment #34) > Bob, for the 0.21.0 deploy, please could we update the CSP to: > > add_header Content-Security-Policy-Report-Only "frame-ancestors 'self'; > default-src 'self'; img-src 'self' data: https://www.gravatar.com/ > https://www.google-analytics.com https://stats.g.doubleclick.net; font-src > 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src > wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net > https://*.mozaws.net; media-src 'self' blob:; script-src 'self' > 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com > https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; > report-uri /CSP/"; > > There's a few extra things here for the frame-src, media-src and style-src > that I've taken from Dan's dev server patch and should reduce the false > positives on the initial reporting version, hopefully giving us better > confidence that its right. This has been deployed to stage.
Flags: needinfo?(bobm)
This has been tested and verified on stage: https://bugzilla.mozilla.org/show_bug.cgi?id=1218501#c6 and will be deployed to production tomorrow 11/4 @2pm PST: Bug 1221353 - Please deploy loop-client 0.21.0 to PRODUCTION
Flags: needinfo?(rpappalardo)
CSP Reporting live in production. Now getting reports such as the following: { "csp-report": { "blocked-uri": "https://loop.services.mozilla.com/v0/rooms/XXXXXXXXXXX", "document-uri": "https://hello.firefox.com/XXXXXXXXXXX", "original-policy": "frame-ancestors https://hello.firefox.com; default-src https://hello.firefox.com; img-src https://hello.firefox.com data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; frame-src https://hello.firefox.com https://tiles.cdn.mozilla.net; connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; media-src https://hello.firefox.com blob:; script-src https://hello.firefox.com 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com; style-src https://hello.firefox.com about: 'unsafe-inline'; report-uri https://hello.firefox.com/__cspreporting__/", "referrer": "", "violated-directive": "connect-src wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net" } }
I've taken an initial look through some of the reports, and I think we should be changing what I said in comment 34 to: add_header Content-Security-Policy-Report-Only "frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src 'self' wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozila.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; report-uri /CSP/"; This adds 'self' and https://*.mozilla.com to connect-src. Adam, was there a specific reason you didn't add 'self' to connect-src originally (versus specifying all the urls manually)?
Flags: needinfo?(adam)
Bob, is there a way we could get Kibana (or the processing stream) to split up the request field automatically? That would save some manual processing/analysis of the output. If Adam's ok with the revised suggestion, I think we could potentially deploy that next week (still as report-only), to see if we can get a clearer picture of the state. There's some loop-client improvements that should be ready as well, so we can combine it with them.
Flags: needinfo?(bobm)
(In reply to Mark Banner (:standard8) from comment #40) > Bob, is there a way we could get Kibana (or the processing stream) to split > up the request field automatically? That would save some manual > processing/analysis of the output. There is a way, but it'll take some time and effort to implement. We're considering how to handle CSP Reporting for all of Cloud Services, and that looks like a 2016 activity. See the tracker Bug 1221725. > If Adam's ok with the revised suggestion, I think we could potentially > deploy that next week (still as report-only), to see if we can get a clearer > picture of the state. There's some loop-client improvements that should be > ready as well, so we can combine it with them. Sounds good.
Flags: needinfo?(bobm)
(In reply to Bob Micheletto [:bobm] from comment #41) > (In reply to Mark Banner (:standard8) from comment #40) > > Bob, is there a way we could get Kibana (or the processing stream) to split > > up the request field automatically? That would save some manual > > processing/analysis of the output. > > There is a way, but it'll take some time and effort to implement. We're > considering how to handle CSP Reporting for all of Cloud Services, and that > looks like a 2016 activity. See the tracker Bug 1221725. Is there a reason why that's marked confidential? If possible, open it up, or at least CC me please. As far as ease of processing of CSP reports, Sentry just added CSP reporting support (https://github.com/getsentry/sentry/issues/729), and I've been using it for a site for a few weeks now. Works quite well. Don't forget HPKP and X-XSS-Protection reporting as well. CSP isn't the only thing with a reporting mechanism. :)
(In reply to Mark Banner (:standard8) from comment #39) > I've taken an initial look through some of the reports, and I think we > should be changing what I said in comment 34 to: > > add_header Content-Security-Policy-Report-Only "frame-ancestors 'self'; > default-src 'self'; img-src 'self' data: https://www.gravatar.com/ > https://www.google-analytics.com https://stats.g.doubleclick.net; font-src > 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src 'self' > wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozila.com https://*.mozilla.org > wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src > 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com > https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; > report-uri /CSP/"; > > This adds 'self' and https://*.mozilla.com to connect-src. > > Adam, was there a specific reason you didn't add 'self' to connect-src > originally (versus specifying all the urls manually)? Nah, I think I just spaced out on that. Go ahead and use 'self', which should ease the transition to having CSP on staging and local testing.
Flags: needinfo?(adam)
(In reply to Mark Banner (:standard8) from comment #39) > I've taken an initial look through some of the reports, and I think we > should be changing what I said in comment 34 to: > > add_header Content-Security-Policy-Report-Only "frame-ancestors 'self'; > default-src 'self'; img-src 'self' data: https://www.gravatar.com/ > https://www.google-analytics.com https://stats.g.doubleclick.net; font-src > 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src 'self' > wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com > wss://*.mozilla.com https://*.mozila.com https://*.mozilla.org > wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src > 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com > https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; > report-uri /CSP/"; Looking through the reports, I see the following violations that should be allowed: connect-src https://hello.firefox.com/ connect-src https://*.optimizely.com/
(In reply to Adam Roach [:abr] from comment #44) > Looking through the reports, I see the following violations that should be > allowed: > > connect-src https://hello.firefox.com/ > connect-src https://*.optimizely.com/ Discussing on irc, we just need the second of these - the hello.firefox.com is covered by the already added "content-src 'self'.
We've now had time for an extended analysis, and I can confirm that the CSP looks good to go. The only minor change needed is for: https://cdn.optimizely.com to be changed to https://*.optimizely.com We're planning on shipping that change and pushing the CSP "live" in the next release of loop standalone. Also clearing NI as we have a reporting process set up now.
Flags: needinfo?(yvanboily+mozbugmail)
(In reply to Mark Banner (:standard8) from comment #46) > We've now had time for an extended analysis, and I can confirm that the CSP > looks good to go. The only minor change needed is for: > > https://cdn.optimizely.com to be changed to https://*.optimizely.com > > We're planning on shipping that change and pushing the CSP "live" in the > next release of loop standalone. > > Also clearing NI as we have a reporting process set up now. This configuration is presently deployed to stage.
CSP change noted on STAGE. did a few e2e-tests to verify everything's working as expected. per conversation with :bobm, we'll wait on next loop-client tag (coming out this week?) and deploy this change at same time. previously on STAGE: $ curl -I https://call.stage.mozaws.net: HTTP/1.1 301 Moved Permanently Content-Length: 191 Content-Security-Policy-Report-Only: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src 'self' wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; report-uri /__cspreporting__/ Content-Type: text/html Date: Fri, 04 Dec 2015 23:30:04 GMT Location: https://www.mozilla.org/firefox/hello/ X-Frame-Options: SAMEORIGIN Connection: keep-alive now on STAGE: $ curl -I https://call.stage.mozaws.net: HTTP/1.1 301 Moved Permanently Content-Length: 191 Content-Security-Policy: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src 'self' wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.optimizely.com https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; report-uri /__cspreporting__/ Content-Type: text/html Date: Wed, 27 Jan 2016 17:15:36 GMT Location: https://www.mozilla.org/firefox/hello/ X-Frame-Options: SAMEORIGIN Connection: keep-alive
Blocks: 1243500
Blocks: 1245893
Changing assignee to :jp.
Assignee: bobm → jschneider
Blocks: 1248491
Ohai, we're celebrating the first anniversary of this bug in 3 days \o/ Any chance we could do that with a prod release? :)
This is now in production. We should still wish this bug a happy birthday!
Status: ASSIGNED → RESOLVED
Closed: 11 years ago10 years ago
Resolution: --- → FIXED
For posterity: $ curl -I https://hello.firefox.com 2>/dev/null | grep 'Content-Security-Policy' Content-Security-Policy-Report-Only: frame-ancestors 'self'; default-src 'self'; img-src 'self' data: https://www.gravatar.com/ https://www.google-analytics.com https://stats.g.doubleclick.net; font-src 'none'; frame-src 'self' https://tiles.cdn.mozilla.net; connect-src 'self' wss://*.tokbox.com https://*.opentok.com https://*.tokbox.com wss://*.mozilla.com https://*.mozilla.com https://*.mozilla.org wss://*.mozaws.net https://*.mozaws.net; media-src 'self' blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.optimizely.com https://www.google-analytics.com; style-src 'self' about: 'unsafe-inline'; report-uri /__cspreporting__/
Bug 1252175 - Please deploy loop standalone 1.1.5 to PRODUCTION
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: