Closed
Bug 1238772
Opened 8 years ago
Closed 2 years ago
Implement Content Security Policy (CSP) for SUMO
Categories
(support.mozilla.org :: Code Quality, task)
support.mozilla.org
Code Quality
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: April, Assigned: tasos)
References
()
Details
Hello! I was hoping we would be able to get Content Security Policy (CSP) enabled on support.mozilla.org. CSP is the most effective way to reduce cross-site scripting (XSS) attacks on our websites, particularly by disabling the ability for inline javascript to run. In my experimenting with CSP, it seems that this policy works properly on su.mo, without causing any ill-effects: > Content-Security-Policy: default-src https:; img-src data: https:; style-src https: 'unsafe-inline' (namely, allowing files to be loaded only via https:, images via https: and data:, and allowing inline stylesheets) We could also try to lock it down a lot more, but there's a greater chance of something slipping through the cracks. This locked down policy also seems to work for me: > Content-Security-Policy: default-src none; connect-src 'self' https://*.optimizely.com; font-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net; img-src data: https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://secure.gravatar.com https://i2.wp.com https://*.optimizely.com; script-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://cdn.optimizely.com; style-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net 'unsafe-inline' Although I'd definitely recommend further testing on that one. su.mo seems really well-designed when it comes to supporting CSP, so I am confident that we can get there quickly. :)
Reporter | ||
Updated•8 years ago
|
Summary: Enable Content Security Policy (CSP) → Enable Content Security Policy (CSP) on SUMO
Reporter | ||
Updated•8 years ago
|
Summary: Enable Content Security Policy (CSP) on SUMO → Implement Content Security Policy (CSP) for SUMO
Reporter | ||
Comment 1•8 years ago
|
||
Found another script source today (geo.mozilla.org): Content-Security-Policy: default-src 'none'; connect-src 'self' https://*.optimizely.com; font-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net; img-src data: https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://secure.gravatar.com https://i2.wp.com https://*.optimizely.com; script-src https://geo.mozilla.org https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net https://ssl.google-analytics.com https://cdn.optimizely.com; style-src https://mozorg.cdn.mozilla.net https://support.cdn.mozilla.net 'unsafe-inline'
Comment 2•6 years ago
|
||
Adding to queue.
Comment 3•6 years ago
|
||
Pmac, is this something you can take on? I added to the github backlog for kitsune.
Flags: needinfo?(pmac)
Comment 4•6 years ago
|
||
Sure. Assigned.
Assignee: nobody → pmac
Status: NEW → ASSIGNED
Flags: needinfo?(pmac)
Assignee | ||
Comment 5•2 years ago
|
||
CSP is deployed in prod
Assignee: pmac → tasos
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•