Closed Bug 1238772 Opened 8 years ago Closed 2 years ago

Implement Content Security Policy (CSP) for SUMO

Categories

(support.mozilla.org :: Code Quality, task)

Product:
support.mozilla.org
Component:
Code Quality
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: April, Assigned: tasos)

References

(
URL
)

Details

Hello!  I was hoping we would be able to get Content Security Policy (CSP) enabled on support.mozilla.org.  CSP is the most effective way to reduce cross-site scripting (XSS) attacks on our websites, particularly by disabling the ability for inline javascript to run.

In my experimenting with CSP, it seems that this policy works properly on su.mo, without causing any ill-effects:

> Content-Security-Policy: default-src https:; img-src data: https:; style-src https: 'unsafe-inline'

(namely, allowing files to be loaded only via https:, images via https: and data:, and allowing inline stylesheets)

We could also try to lock it down a lot more, but there's a greater chance of something slipping through the cracks. This locked down policy also seems to work for me:

> Content-Security-Policy: default-src none; connect-src 'self' https://*.optimizely.com; font-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net; img-src data: https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://secure.gravatar.com https://i2.wp.com https://*.optimizely.com; script-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://cdn.optimizely.com; style-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net 'unsafe-inline'

Although I'd definitely recommend further testing on that one.  su.mo seems really well-designed when it comes to supporting CSP, so I am confident that we can get there quickly.  :)
Summary: Enable Content Security Policy (CSP) → Enable Content Security Policy (CSP) on SUMO
Summary: Enable Content Security Policy (CSP) on SUMO → Implement Content Security Policy (CSP) for SUMO
Adding to queue.
Pmac, is this something you can take on? I added to the github backlog for kitsune.
Flags: needinfo?(pmac)
Sure. Assigned.
Assignee: nobody → pmac
Status: NEW → ASSIGNED
Flags: needinfo?(pmac)

CSP is deployed in prod

Assignee: pmac → tasos
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.