In bug 918180, we decided that a well-known hole in the same origin policy  was a danger to Bugzilla. To prevent Bugzilla attachments from exploiting it, we moved attachments from *.bugzilla.mozilla.org to *.bmoattachments.org. But that's not sufficient to protect our instance of Bugzilla. We have XSS bugs in mozilla.org subdomains all the time , and most of these subdomains aren't even covered by our bug bounty . Possible solutions, from most general to most expedient: A) Fix , for all sites (using a new CSP flag?), in all browsers B) Audit Bugzilla to ensure that  does not affect it badly C) Move bugzilla.mozilla.org its own domain (bugzil.la?) This bug is for (C). 
while it would be ideal, mozilla doesn't own or manage the bugzil.la domain. reed - how do you feel about handing over the bugzil.la domain to moco?
Where do we discuss option B), the option of hardening Bugzilla against the problem ? If an adequate set of defences for a web app to protect itself from problems on different sites in the same domain do not actually exist, then that would surely mean that the browser makers need to take option A) ASAP? Gerv
For C), based on our recent work with etherpad, I suggest 'bugzilla-mozilla.org'. It's the same domain as before, just with a carefully placed - to work around cookie subdomain inheritance stuff. We can use the same SSL certificate for both b.m.o and b-m.o and redirect from the former to the latter, so that the ownership trail is clear and so on. And that way it's still BMO, and not just 'bugzilla'.
_How_ we do it is not so tricky; but perhaps we should resolve "if" first? :-) Gerv
(In reply to Byron Jones ‹:glob› from comment #2) > while it would be ideal, mozilla doesn't own or manage the bugzil.la domain. > reed - how do you feel about handing over the bugzil.la domain to moco? Let's chat OOB (IRC is fine) about this if that's a serious option. However, .LA ccTLD is not known for being the most stable, so operationally and security-wise, might be a concern.
It is not clear that bug 918180 was ever a danger to BMO. There are still risks associated with this domain setup, although many of them could be solved by using the __Host- prefix for our cookies. I'm going to mark this as WONTFIX, the cost of changing the domain is currently too high to justify.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.