Closed Bug 1157810 Opened 6 years ago Closed 6 years ago
Enforce that tile images are loaded from mozilla
During doc review in bug 1156876, we noted that tile image URLs are from Mozilla servers, but this is not enforced in the code. We should enforce that these are always from mozilla.com or mozilla.net so that we don't accidentally leak information to other servers about a user's behavior.
When testing in stage we use the *.mozaws.net domain. If we start enforcing that one should be white listed as well.
mostlygeek, do we expect to be on mozilla.net for the foreseeable future? When we initially launched, the images were hosted cloudfront.net so it happened to be nice we didn't need to change Firefox code to support switching to mozilla.net.
Yes, we should be at the tiles.cdn.mozilla.net domain for a long time. If we were to change we'll do it with a new subdomain, ie: tiles2.cdn.mozilla.net.
erg... that is if we were to change CDN providers.
mostlygeek, I noticed when testing in stage, it resulted in urls from s3.amazonaws.com instead of mozaws.net. Is it just a configuration change somewhere to make the images be mozaws instead of amazonaws? Alternatively, we could tie the check to a pref: a boolean for check or not or a string for allowed domains defaulting to mozilla.net but can be overridden to mozaws.net or anything else.
My bad. Yes, in stage it actually comes from S3 directly and not from a mozaws.net domain.
Assignee: nobody → edilee
Iteration: --- → 41.1 - May 25
Component: Tiles → New Tab Page
Product: Content Services → Firefox
Summary: Enforce that tile images are loaded from mozilla.com or mozilla.net → Enforce that tile images are loaded from mozilla.net
f? per https://wiki.mozilla.org/Firefox/Data_Collection There's no additional data being collected. Firefox is enforcing images are from mozilla.net (or data URI), so updating .rst.
Attachment #8606049 - Flags: feedback?(benjamin) → feedback+
You need to log in before you can comment on or make changes to this bug.