Open
Bug 1270153
Opened 8 years ago
Updated 5 years ago
[Meta] Apply recommendations from the Mozilla HTTP Observatory tool (B, treeherder.mozilla.org)
Categories
(Tree Management :: Treeherder: Infrastructure, defect, P3)
Tree Management
Treeherder: Infrastructure
Tracking
(Not tracked)
NEW
People
(Reporter: emorley, Unassigned)
References
(Depends on 2 open bugs)
Details
(Keywords: meta)
https://github.com/mozilla/http-observatory-cli [~/src/treeherder]$ httpobs treeherder.mozilla.org Score: 25 [E] Modifiers: [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -5] X-Content-Type-Options header not implemented [ -10] Contribute.json file missing from root of website [ -10] X-XSS-Protection header not implemented [ -20] X-Frame-Options (XFO) header not implemented [ -25] Content Security Policy (CSP) header not implemented The X-Content-Type-Options, X-XSS-Protection and X-Frame-Options entries will be dealt with once bug 1247344 lands. Contribute.json is the existing bug 1186912. This leaves: [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -25] Content Security Policy (CSP) header not implemented The not-same-origin JS we load (that triggers the SRI entry) is all from Persona, so will go away once we move away from it. I'll file a new bug for CSP.
Reporter | ||
Comment 1•8 years ago
|
||
Now that bug 1247344 has landed on stage... [~/src/treeherder]$ httpobs -r treeherder.allizom.org Score: 60 [C+] Modifiers: [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -10] Contribute.json file missing from root of website [ -25] Content Security Policy (CSP) header not implemented
Reporter | ||
Comment 2•8 years ago
|
||
Latest grade is B: https://observatory.mozilla.org/analyze.html?host=treeherder.mozilla.org Remaining areas where points can be had: - CSP (bug 1270157) - SRI (bug 1289471) - (Bonus points only) HPKP - (Bonus points only) HSTS preloading (but not really possible on a subdomain, so blocked on mozilla.org doing this; see bug 1289421 comment 3)
Summary: Apply recommendations from the Mozilla HTTP Observatory tool → Apply recommendations from the Mozilla HTTP Observatory tool (B, treeherder.mozilla.org)
Reporter | ||
Updated•7 years ago
|
Assignee: nobody → emorley
Reporter | ||
Updated•5 years ago
|
Assignee: emorley → nobody
Keywords: meta
Summary: Apply recommendations from the Mozilla HTTP Observatory tool (B, treeherder.mozilla.org) → [Meta] Apply recommendations from the Mozilla HTTP Observatory tool (B, treeherder.mozilla.org)
You need to log in
before you can comment on or make changes to this bug.
Description
•