If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Implement Content Security Policy (CSP) for SUMO

NEW
Unassigned

Status

support.mozilla.org
Code Quality
2 years ago
2 years ago

People

(Reporter: April, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

2 years ago
Hello!  I was hoping we would be able to get Content Security Policy (CSP) enabled on support.mozilla.org.  CSP is the most effective way to reduce cross-site scripting (XSS) attacks on our websites, particularly by disabling the ability for inline javascript to run.

In my experimenting with CSP, it seems that this policy works properly on su.mo, without causing any ill-effects:

> Content-Security-Policy: default-src https:; img-src data: https:; style-src https: 'unsafe-inline'

(namely, allowing files to be loaded only via https:, images via https: and data:, and allowing inline stylesheets)

We could also try to lock it down a lot more, but there's a greater chance of something slipping through the cracks. This locked down policy also seems to work for me:

> Content-Security-Policy: default-src none; connect-src 'self' https://*.optimizely.com; font-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net; img-src data: https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://secure.gravatar.com https://i2.wp.com https://*.optimizely.com; script-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://cdn.optimizely.com; style-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net 'unsafe-inline'

Although I'd definitely recommend further testing on that one.  su.mo seems really well-designed when it comes to supporting CSP, so I am confident that we can get there quickly.  :)
(Reporter)

Updated

2 years ago
Summary: Enable Content Security Policy (CSP) → Enable Content Security Policy (CSP) on SUMO
(Reporter)

Updated

2 years ago
Blocks: 921418
(Reporter)

Updated

2 years ago
Summary: Enable Content Security Policy (CSP) on SUMO → Implement Content Security Policy (CSP) for SUMO
(Reporter)

Comment 1

2 years ago
Found another script source today (geo.mozilla.org):

Content-Security-Policy: default-src 'none'; connect-src 'self' https://*.optimizely.com; font-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net; img-src data: https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://secure.gravatar.com https://i2.wp.com https://*.optimizely.com; script-src https://geo.mozilla.org https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://cdn.optimizely.com; style-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net 'unsafe-inline'
You need to log in before you can comment on or make changes to this bug.