Since we're shipping bits of code to Firefox, we want to sign the code before we send it. We'll probably be using the autograph service to help with this: https://github.com/mozilla-services/autograph
Content-Signature is an HTTP header. S3 doesn't allow us to set headers they don't know about. S3 doesn't support Content-Signature. Because of that, we will have to drop the idea of serving actions directly out of S3 if we need to sign them using the standard header. The other option is probably to make Django do it either as a normal view or by extending Whitenoise. We can still put the actions behind a heavily caching CDN. The responses are static, just more complex than we can convince S3 to serve.
Component: SHIELD → General
Product: Websites → Normandy
Summary: Sign actions using Content-Signature → [tracker] Sign actions using Content-Signature
This landed on master in PR #222 https://github.com/mozilla/normandy/pull/222
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Summary: [tracker] Sign actions using Content-Signature → [tracker] Sign recipes using Content-Signature
You need to log in before you can comment on or make changes to this bug.