Closed Bug 1303371 Opened 8 years ago Closed 8 years ago

Serve the HPKP header on addons.mozilla.org

Categories

(addons.mozilla.org :: Security, defect, P1)

Product:
addons.mozilla.org
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jvehent, Assigned: jason)

References

Details

The following header should be served on all AMO pages. It will lock addons.mozilla.org and ALL of its subdomains to the digicert EV and regular roots for 120 seconds. Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; Once we're confident this does not break users, we need to extend max age to 60 days: Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=";
Priority: -- → P1
This has been deployed on all AMO stage endpoints, please test and let me know if any changes need to be made. * curl https://discovery.addons.allizom.org/en-US/firefox/discovery/pane/49.0a2/Darwin/normal -D- -so/dev/null HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src 'none'; connect-src https://addons.allizom.org; form-action 'none'; frame-src 'none'; img-src 'self' data: https://addons-stage-cdn.allizom.org https://addons-discovery-cdn.allizom.org https://www.google-analytics.com; media-src https://addons-discovery-cdn.allizom.org; object-src 'none'; script-src https://addons-discovery-cdn.allizom.org https://www.google-analytics.com/analytics.js; style-src https://addons-discovery-cdn.allizom.org; report-uri /__cspreport__ Content-Type: text/html; charset=utf-8 Date: Fri, 16 Sep 2016 20:51:09 GMT ETag: W/"7972-24nbNE9zXqIzKNQC4TCRWA" Expires: Fri, 16 Sep 2016 21:51:09 GMT Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding X-Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src 'none'; connect-src https://addons.allizom.org; form-action 'none'; frame-src 'none'; img-src 'self' data: https://addons-stage-cdn.allizom.org https://addons-discovery-cdn.allizom.org https://www.google-analytics.com; media-src https://addons-discovery-cdn.allizom.org; object-src 'none'; script-src https://addons-discovery-cdn.allizom.org https://www.google-analytics.com/analytics.js; style-src https://addons-discovery-cdn.allizom.org; report-uri /__cspreport__ X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Proxy-Cache: MISS X-WebKit-CSP: default-src 'none'; base-uri 'self'; child-src 'none'; connect-src https://addons.allizom.org; form-action 'none'; frame-src 'none'; img-src 'self' data: https://addons-stage-cdn.allizom.org https://addons-discovery-cdn.allizom.org https://www.google-analytics.com; media-src https://addons-discovery-cdn.allizom.org; object-src 'none'; script-src https://addons-discovery-cdn.allizom.org https://www.google-analytics.com/analytics.js; style-src https://addons-discovery-cdn.allizom.org; report-uri /__cspreport__ X-XSS-Protection: 1; mode=block Content-Length: 31090 Connection: keep-alive * curl https://services.addons.allizom.org/en-US/firefox/discovery/pane/49.0a2/Darwin/normal -D- -so/dev/null HTTP/1.1 200 OK Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; report-uri /__cspreport__ Content-Type: text/html; charset=utf-8 Date: Fri, 16 Sep 2016 20:51:58 GMT ETag: "3dd5735e5dcd3ac23e7cf177e74a5515" Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Server: nginx strict-transport-security: max-age=31536000 Vary: Accept-Encoding Vary: X-Mobile, User-Agent x-content-type-options: nosniff X-Frame-Options: DENY x-xss-protection: 1; mode=block transfer-encoding: chunked Connection: keep-alive * curl https://blocklist.allizom.org/blocklist/3/x/x/x/ -D- -so/dev/null HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; report-uri /__cspreport__ Content-Type: text/xml; charset=utf-8 Date: Fri, 16 Sep 2016 20:52:51 GMT ETag: "1961ff8f0fe7ef7d6b4a7a9954e02fb9" Expires: Fri, 16 Sep 2016 21:52:51 GMT Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Server: nginx strict-transport-security: max-age=31536000 Vary: Accept-Encoding Vary: X-Mobile, User-Agent x-content-type-options: nosniff X-Frame-Options: DENY x-xss-protection: 1; mode=block transfer-encoding: chunked Connection: keep-alive * curl https://addons.allizom.org/en-US/firefox/ -D- -so/dev/null HTTP/1.1 200 OK Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com https://www.sandbox.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; report-uri /__cspreport__ Content-Type: text/html; charset=utf-8 Date: Fri, 16 Sep 2016 20:53:39 GMT ETag: "7b26e77becafbc47fedae4bd4192f9fc" Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Server: nginx Set-Cookie: sessionid=".eJwFwdENgDAIBcBdmOAVSSkuY6CFBeyHiXF3716qx697-046CarzYGdYN1GMbIMDnkhB2oKrL0GvquUqLYeJcAuVWVExQd8PraEXHw:1bl08h:aowHjGl4H8XSsMUsGzih9PZKblg"; Domain=.addons.allizom.org; expires=Sun, 16-Oct-2016 20:53:39 GMT; httponly; Max-Age=2592000; Path=/; secure strict-transport-security: max-age=31536000 Vary: X-Mobile, User-Agent x-content-type-options: nosniff X-Frame-Options: DENY x-xss-protection: 1; mode=block transfer-encoding: chunked Connection: keep-alive * curl -G https://versioncheck.allizom.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- -so/dev/null HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: text/xml; charset=utf-8 Date: Fri, 16 Sep 2016 20:54:21 GMT Expires: Fri, 16 Sep 2016 21:54:21 GMT Last-Modified: Fri, 16 Sep 2016 20:54:21 GMT Public-Key-Pins: max-age=120; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Server: nginx Content-Length: 154 Connection: keep-alive
After a quick check - Install from amo and discopane, add-on submission, add-on updates all seem to work on prod.
(In reply to kraj from comment #2) > After a quick check - Install from amo and discopane, add-on submission, > add-on updates all seem to work on prod. All of that work on prod because the changes haven't landed on prod yet :(
For now we've only deployed HPKP changes with max-age=90000 to versioncheck* prod endpoints. curl -G https://versioncheck.addons.mozilla.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: text/xml; charset=utf-8 Date: Fri, 16 Sep 2016 22:59:44 GMT Expires: Fri, 16 Sep 2016 23:59:44 GMT Last-Modified: Fri, 16 Sep 2016 22:59:44 GMT Public-Key-Pins: max-age=90000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Server: nginx Content-Length: 154 Connection: keep-alive
Looks like all went well over the weekend. Can we extend the header to all addons.mozilla.org domains and subdomains, with a max-age of 300 for a couple days (and leave max-age=90000 on versioncheck)? Public-Key-Pins: max-age=300; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__";
Flags: needinfo?(jthomas)
PKP header in Comment 5 has been added to all addons.mozilla.org domains, including services.addons.mozilla.org, discovery.addons.mozilla.org, blocklist.addons.mozilla.org.
Flags: needinfo?(jthomas)
we didn't break the versioncheck/versioncheck-bg server and it's been a week. Can we increase this one to a week or 8 days now? max-age=648000 (split the diff)
(In reply to Daniel Veditz [:dveditz] from comment #7) > we didn't break the versioncheck/versioncheck-bg server and it's been a > week. Can we increase this one to a week or 8 days now? max-age=648000 > (split the diff) Done for VAMO endpoints: curl -G https://versioncheck.addons.mozilla.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- -so/dev/null HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: text/xml; charset=utf-8 Date: Fri, 23 Sep 2016 19:04:00 GMT Expires: Fri, 23 Sep 2016 20:04:00 GMT Last-Modified: Fri, 23 Sep 2016 19:03:21 GMT Public-Key-Pins: max-age=648000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__" Server: nginx Content-Length: 154 Connection: keep-alive
:ulfr are we good to bump these up to max-age=5184000 ?
Yes. Also, you can drop the report-uri for now.
Done on addons.mozilla.org, services.addons.mozilla.org, discovery.addons.mozilla.org: curl https://addons.mozilla.org -D- -so/dev/null HTTP/1.1 301 MOVED PERMANENTLY Cache-Control: max-age=31536000 Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.paypalobjects.com/js/external/dg.js https://addons.cdn.mozilla.net; img-src 'self' data: blob: https://www.paypal.com https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net; object-src 'none'; default-src 'self'; frame-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; media-src https://videos.cdn.mozilla.net; child-src 'self' https://ic.paypal.com https://paypal.com https://www.google.com/recaptcha/ https://www.paypal.com; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org; report-uri /__cspreport__ Content-Type: text/html; charset=utf-8 Date: Thu, 20 Oct 2016 14:47:31 GMT ETag: "d41d8cd98f00b204e9800998ecf8427e" Location: https://addons.mozilla.org/en-US/firefox/ Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=" Server: nginx strict-transport-security: max-age=31536000 Vary: Accept-Language, User-Agent, X-Mobile x-content-type-options: nosniff X-Frame-Options: DENY x-xss-protection: 1; mode=block Content-Length: 0 Connection: keep-alive
Done on versioncheck.addons.mozilla.org: curl -G https://versioncheck.addons.mozilla.org/update/VersionCheck.php\?reqVersion\=2\&id\=\{1280606b-2510-4fe0-97ef-9b5a22eafe30\}\&version\=0.8.1.8pre20151105b\&maxAppVersion\=45.0\&status\=userEnabled\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=45.0a1\&appOS\=WINNT\&appABI\=x86_64-msvc\&locale\=en-US\&currentAppVersion\=45.0a1\&updateType\=97\&compatMode\=normal -D- -so/dev/null HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: text/xml; charset=utf-8 Date: Wed, 26 Oct 2016 20:49:12 GMT Expires: Wed, 26 Oct 2016 21:49:12 GMT Last-Modified: Wed, 26 Oct 2016 20:49:12 GMT Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=" Server: nginx Content-Length: 154 Connection: keep-alive
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.