1270153 - [Meta] Apply recommendations from the Mozilla HTTP Observatory tool (B, treeherder.mozilla.org)

Status: NEW

(Tree Management :: Treeherder: Infrastructure, defect, P3)

Description

[Ed Morley [:emorley]]

https://github.com/mozilla/http-observatory-cli

[~/src/treeherder]$ httpobs treeherder.mozilla.org
Score: 25 [E]
Modifiers:
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [  -5] X-Content-Type-Options header not implemented
    [ -10] Contribute.json file missing from root of website
    [ -10] X-XSS-Protection header not implemented
    [ -20] X-Frame-Options (XFO) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

The X-Content-Type-Options, X-XSS-Protection and X-Frame-Options entries will be dealt with once bug 1247344 lands.

Contribute.json is the existing bug 1186912.

This leaves:
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [ -25] Content Security Policy (CSP) header not implemented

The not-same-origin JS we load (that triggers the SRI entry) is all from Persona, so will go away once we move away from it.

I'll file a new bug for CSP.

Comment 1

[Ed Morley [:emorley]]

Now that bug 1247344 has landed on stage...

[~/src/treeherder]$ httpobs -r treeherder.allizom.org

Score: 60 [C+]
Modifiers:
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [ -10] Contribute.json file missing from root of website
    [ -25] Content Security Policy (CSP) header not implemented

Comment 2

[Ed Morley [:emorley]]

Latest grade is B:
https://observatory.mozilla.org/analyze.html?host=treeherder.mozilla.org

Remaining areas where points can be had:
- CSP (bug 1270157) 
- SRI (bug 1289471)
- (Bonus points only) HPKP
- (Bonus points only) HSTS preloading (but not really possible on a subdomain, so blocked on mozilla.org doing this; see bug 1289421 comment 3)