Closed Bug 1157810 Opened 6 years ago Closed 6 years ago

Enforce that tile images are loaded from mozilla.net

Categories

(Firefox :: New Tab Page, defect)

defect
Not set
normal
Points:
3

Tracking

()

RESOLVED FIXED
Firefox 41
Iteration:
41.1 - May 25
Tracking Status
firefox41 --- fixed

People

(Reporter: benjamin, Assigned: Mardak)

References

Details

(Whiteboard: .?)

Attachments

(1 file)

During doc review in bug 1156876, we noted that tile image URLs are from Mozilla servers, but this is not enforced in the code. We should enforce that these are always from mozilla.com or mozilla.net so that we don't accidentally leak information to other servers about a user's behavior.
Points: --- → 3
Whiteboard: .?
When testing in stage we use the *.mozaws.net domain. If we start enforcing that one should be white listed as well.
mostlygeek, do we expect to be on mozilla.net for the foreseeable future? When we initially launched, the images were hosted cloudfront.net so it happened to be nice we didn't need to change Firefox code to support switching to mozilla.net.
Yes, we should be at the tiles.cdn.mozilla.net domain for a long time. If we were to change we'll do it with a new subdomain, ie: tiles2.cdn.mozilla.net.
erg... that is if we were to change CDN providers.
Blocks: 1158230
mostlygeek, I noticed when testing in stage, it resulted in urls from s3.amazonaws.com instead of mozaws.net. Is it just a configuration change somewhere to make the images be mozaws instead of amazonaws?

Alternatively, we could tie the check to a pref: a boolean for check or not or a string for allowed domains defaulting to mozilla.net but can be overridden to mozaws.net or anything else.
My bad. Yes, in stage it actually comes from S3 directly and not from a mozaws.net domain.
Assignee: nobody → edilee
Iteration: --- → 41.1 - May 25
Component: Tiles → New Tab Page
Product: Content Services → Firefox
Summary: Enforce that tile images are loaded from mozilla.com or mozilla.net → Enforce that tile images are loaded from mozilla.net
Attached patch v1Splinter Review
f? per https://wiki.mozilla.org/Firefox/Data_Collection

There's no additional data being collected. Firefox is enforcing images are from mozilla.net (or data URI), so updating .rst.
Attachment #8606049 - Flags: review?(adw)
Attachment #8606049 - Flags: feedback?(benjamin)
Attachment #8606049 - Flags: review?(adw) → review+
Attachment #8606049 - Flags: feedback?(benjamin) → feedback+
https://hg.mozilla.org/mozilla-central/rev/a93f59b2e222
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 41
You need to log in before you can comment on or make changes to this bug.