Closed Bug 1303371 Opened 3 years ago Closed 3 years ago

Serve the HPKP header on addons.mozilla.org

Categories

(addons.mozilla.org :: Security, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ulfr, Assigned: jason)

References

Details

The following header should be served on all AMO pages. It will lock addons.mozilla.org and ALL of its subdomains to the digicert EV and regular roots for 120 seconds.

Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";

Once we're confident this does not break users, we need to extend max age to 60 days:

Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
Priority: -- → P1
This has been deployed on all AMO stage endpoints, please test and let me know if any changes need to be made.

* curl https://discovery.addons.allizom.org/en-US/firefox/discovery/pane/49.0a2/Darwin/normal -D- -so/dev/null
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src 'none'; connect-src https://addons.allizom.org; form-action 'none'; frame-src 'none'; img-src 'self' data: https://addons-stage-cdn.allizom.org https://addons-discovery-cdn.allizom.org https://www.google-analytics.com; media-src https://addons-discovery-cdn.allizom.org; object-src 'none'; script-src https://addons-discovery-cdn.allizom.org https://www.google-analytics.com/analytics.js; style-src https://addons-discovery-cdn.allizom.org; report-uri /__cspreport__
Content-Type: text/html; charset=utf-8
Date: Fri, 16 Sep 2016 20:51:09 GMT
ETag: W/"7972-24nbNE9zXqIzKNQC4TCRWA"
Expires: Fri, 16 Sep 2016 21:51:09 GMT
Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src 'none'; connect-src https://addons.allizom.org; form-action 'none'; frame-src 'none'; img-src 'self' data: https://addons-stage-cdn.allizom.org https://addons-discovery-cdn.allizom.org https://www.google-analytics.com; media-src https://addons-discovery-cdn.allizom.org; object-src 'none'; script-src https://addons-discovery-cdn.allizom.org https://www.google-analytics.com/analytics.js; style-src https://addons-discovery-cdn.allizom.org; report-uri /__cspreport__
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Proxy-Cache: MISS
X-WebKit-CSP: default-src 'none'; base-uri 'self'; child-src 'none'; connect-src https://addons.allizom.org; form-action 'none'; frame-src 'none'; img-src 'self' data: https://addons-stage-cdn.allizom.org https://addons-discovery-cdn.allizom.org https://www.google-analytics.com; media-src https://addons-discovery-cdn.allizom.org; object-src 'none'; script-src https://addons-discovery-cdn.allizom.org https://www.google-analytics.com/analytics.js; style-src https://addons-discovery-cdn.allizom.org; report-uri /__cspreport__
X-XSS-Protection: 1; mode=block
Content-Length: 31090
Connection: keep-alive

* curl https://services.addons.allizom.org/en-US/firefox/discovery/pane/49.0a2/Darwin/normal -D- -so/dev/null
HTTP/1.1 200 OK
Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; report-uri /__cspreport__
Content-Type: text/html; charset=utf-8
Date: Fri, 16 Sep 2016 20:51:58 GMT
ETag: "3dd5735e5dcd3ac23e7cf177e74a5515"
Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Server: nginx
strict-transport-security: max-age=31536000
Vary: Accept-Encoding
Vary: X-Mobile, User-Agent
x-content-type-options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
transfer-encoding: chunked
Connection: keep-alive

* curl https://blocklist.allizom.org/blocklist/3/x/x/x/ -D- -so/dev/null
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; report-uri /__cspreport__
Content-Type: text/xml; charset=utf-8
Date: Fri, 16 Sep 2016 20:52:51 GMT
ETag: "1961ff8f0fe7ef7d6b4a7a9954e02fb9"
Expires: Fri, 16 Sep 2016 21:52:51 GMT
Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Server: nginx
strict-transport-security: max-age=31536000
Vary: Accept-Encoding
Vary: X-Mobile, User-Agent
x-content-type-options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
transfer-encoding: chunked
Connection: keep-alive

* curl https://addons.allizom.org/en-US/firefox/ -D- -so/dev/null
HTTP/1.1 200 OK
Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; report-uri /__cspreport__
Content-Type: text/html; charset=utf-8
Date: Fri, 16 Sep 2016 20:53:39 GMT
ETag: "7b26e77becafbc47fedae4bd4192f9fc"
Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Server: nginx
Set-Cookie: sessionid=".eJwFwdENgDAIBcBdmOAVSSkuY6CFBeyHiXF3716qx697-046CarzYGdYN1GMbIMDnkhB2oKrL0GvquUqLYeJcAuVWVExQd8PraEXHw:1bl08h:aowHjGl4H8XSsMUsGzih9PZKblg"; Domain=.addons.allizom.org; expires=Sun, 16-Oct-2016 20:53:39 GMT; httponly; Max-Age=2592000; Path=/; secure
strict-transport-security: max-age=31536000
Vary: X-Mobile, User-Agent
x-content-type-options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
transfer-encoding: chunked
Connection: keep-alive

* curl -G https://versioncheck.allizom.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- -so/dev/null
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: text/xml; charset=utf-8
Date: Fri, 16 Sep 2016 20:54:21 GMT
Expires: Fri, 16 Sep 2016 21:54:21 GMT
Last-Modified: Fri, 16 Sep 2016 20:54:21 GMT
Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Server: nginx
Content-Length: 154
Connection: keep-alive
After a quick check - Install from amo and discopane, add-on submission, add-on updates all seem to work on prod.
(In reply to kraj from comment #2)
> After a quick check - Install from amo and discopane, add-on submission,
> add-on updates all seem to work on prod.

All of that work on prod because the changes haven't landed on prod yet :(
For now we've only deployed HPKP changes with max-age=90000 to versioncheck* prod endpoints.

curl -G https://versioncheck.addons.mozilla.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D-
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: text/xml; charset=utf-8
Date: Fri, 16 Sep 2016 22:59:44 GMT
Expires: Fri, 16 Sep 2016 23:59:44 GMT
Last-Modified: Fri, 16 Sep 2016 22:59:44 GMT
Public-Key-Pins: max-age=90000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Server: nginx
Content-Length: 154
Connection: keep-alive
Looks like all went well over the weekend. Can we extend the header to all addons.mozilla.org domains and subdomains, with a max-age of 300 for a couple days (and leave max-age=90000 on versioncheck)?

Public-Key-Pins: max-age=300; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__";
Flags: needinfo?(jthomas)
PKP header in Comment 5 has been added to all addons.mozilla.org domains, including services.addons.mozilla.org, discovery.addons.mozilla.org, blocklist.addons.mozilla.org.
Flags: needinfo?(jthomas)
we didn't break the versioncheck/versioncheck-bg server and it's been a week. Can we increase this one to a week or 8 days now? max-age=648000 (split the diff)
(In reply to Daniel Veditz [:dveditz] from comment #7)
> we didn't break the versioncheck/versioncheck-bg server and it's been a
> week. Can we increase this one to a week or 8 days now? max-age=648000
> (split the diff)

Done for VAMO endpoints:

curl -G https://versioncheck.addons.mozilla.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- -so/dev/null
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: text/xml; charset=utf-8
Date: Fri, 23 Sep 2016 19:04:00 GMT
Expires: Fri, 23 Sep 2016 20:04:00 GMT
Last-Modified: Fri, 23 Sep 2016 19:03:21 GMT
Public-Key-Pins: max-age=648000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__"
Server: nginx
Content-Length: 154
Connection: keep-alive
:ulfr are we good to bump these up to max-age=5184000 ?
Yes. Also, you can drop the report-uri for now.
Done on addons.mozilla.org, services.addons.mozilla.org, discovery.addons.mozilla.org:

curl https://addons.mozilla.org -D- -so/dev/null
HTTP/1.1 301 MOVED PERMANENTLY
Cache-Control: max-age=31536000
Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org; report-uri /__cspreport__
Content-Type: text/html; charset=utf-8
Date: Thu, 20 Oct 2016 14:47:31 GMT
ETag: "d41d8cd98f00b204e9800998ecf8427e"
Location: https://addons.mozilla.org/en-US/firefox/
Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="
Server: nginx
strict-transport-security: max-age=31536000
Vary: Accept-Language, User-Agent, X-Mobile
x-content-type-options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
Content-Length: 0
Connection: keep-alive
Done on versioncheck.addons.mozilla.org:
curl -G https://versioncheck.addons.mozilla.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- -so/dev/null
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: text/xml; charset=utf-8
Date: Wed, 26 Oct 2016 20:49:12 GMT
Expires: Wed, 26 Oct 2016 21:49:12 GMT
Last-Modified: Wed, 26 Oct 2016 20:49:12 GMT
Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="
Server: nginx
Content-Length: 154
Connection: keep-alive
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.