Create service to authenticate stub attribution request

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: ckprice, Assigned: pmac)

Tracking

(Blocks: 1 bug)

Production
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [q4 sprint 2], URL)

Attachments

(1 attachment)

Created attachment 8761318 [details]
https://public.etherpad-mozilla.org/p/st2u5U0HyH

Reference from attached notes from the meeting with ckprice, pmac, oremj, cmore, ulfr.

This service will support the stub attribution project tracked in bug 1259607.

Rough steps are:

Service will be called when the download button is rendered.

AJAX service (moz.org)
- accepts combo of 4 values (source/medium/campaign/content).
- attaches a signed key (via hmac).
- adds it to the link.
Note: the hmac value must include the data we care to protect. In this instance: the source/medium/campaign/content combo. Otherwise an attacker could reuse the hmac with a different set of values.
Hey Cory-

What's the timeline and level of prioritization for this work?

Did pmac give an LOE (small, medium, large?) for this work when you met?

Could you please include Eric Renaud, our new scrum master, in any future meetings about this going forward?

Thx,
Jen
Flags: needinfo?(cprice)
(In reply to Jennifer Bertsch [:jbertsch] from comment #2)
> Hey Cory-
> 
> What's the timeline and level of prioritization for this work?
> 
> Did pmac give an LOE (small, medium, large?) for this work when you met?
> 
> Could you please include Eric Renaud, our new scrum master, in any future
> meetings about this going forward?
> 
> Thx,
> Jen

Lateraling these questions to :cmore as he is our marketing contact here.

Regarding timing: this is dependent on bug1261140comment32 landing, which is currently riding the Fx 49 train (Sept 13). We do have an uplift request for Aug 2. :cmore please confirm the Sept 13 date is okay.
Flags: needinfo?(cprice) → needinfo?(chrismore.bugzilla)

Comment 4

2 years ago
(In reply to Cory Price [:ckprice] from comment #3)
> (In reply to Jennifer Bertsch [:jbertsch] from comment #2)
> > Hey Cory-
> > 
> > What's the timeline and level of prioritization for this work?
> > 
> > Did pmac give an LOE (small, medium, large?) for this work when you met?
> > 
> > Could you please include Eric Renaud, our new scrum master, in any future
> > meetings about this going forward?
> > 
> > Thx,
> > Jen
> 
> Lateraling these questions to :cmore as he is our marketing contact here.
> 
> Regarding timing: this is dependent on bug1261140comment32 landing, which is
> currently riding the Fx 49 train (Sept 13). We do have an uplift request for
> Aug 2. :cmore please confirm the Sept 13 date is okay.

Confirmed Sept 13th if no uplift is available.
Flags: needinfo?(chrismore.bugzilla)
New target for this is Firefox 50 (November 8th).
Assignee: nobody → pmac

Updated

2 years ago
Whiteboard: [PBL]

Updated

2 years ago
Whiteboard: [PBL] → [q4 sprint 2]
Alex, Josh, and I just had a chat about the current PR[0]. We need to change some things, and this is what we'll be doing:

* The rate-limiting will happen on the client side. We'll add the "STUB_ATTRIBUTION_RATE" value to a data attribute in the templates which the JS can then grab to use for limiting. e.g. if the value is set to "0.2" then 20% of windows download buttons will get the attribution attributes

* The service itself can be switched on and off via the same "STUB_ATTRIBUTION_RATE" setting with a value of "0". If the value is "0" then the JS will not be included in the pages and the AJAX service will respond with a 403.

* The client-side code should only request the attribution codes if the following conditions are met:
  a. The page has a Firefox download button.
  b. Said button is displaying the "windows" download version.
  c. The rate limiting test passes

[0] https://github.com/mozilla/bedrock/pull/4253/

Comment 7

2 years ago
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/2dab617a772535d0b620e7240221f5b26e93d699
Bug 1278981: Add service to sign Stub Attribution URL params

* Uses HMAC with SHA256
* Add a timestamp to attribution code
* Referrer should only be used when there is no "source"
* Add ability to adjust rate of issuance of stub attributions

https://github.com/mozilla/bedrock/commit/74bfea01c2ce01603730194ad63122ab0dd8b14b
Merge pull request #4253 from pmac/add-hmac-funnelcake-service-1278981

Bug 1278981: Add service to sign Stub Attribution URL params
This is done and in prod. The front-end bits needed to use this service are still in progress in bug 1279291 and the associated PR:

https://github.com/mozilla/bedrock/pull/4456
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.