[observatory] snippets.cdn.mozilla.net (C)

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Atoll, Assigned: Atoll)

Tracking

(Depends on: 1 bug)

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3543])

(Assignee)

Description

2 years ago
We host this site on CloudFront. It currently scores a C:

HTTP Observatory Report: snippets.cdn.mozilla.net

Score Rule                           Description
  -25 content-security-policy        Content Security Policy (CSP) header not implemented.
  -20 redirection                    Does not redirect to an https site.
    0 cookies                        No cookies detected.
    0 cross-origin-resource-sharing  Content is not visible via cross-origin resource sharing (CORS) files or headers.
    0 public-key-pinning             HTTP Public Key Pinning (HPKP) header not implemented.
    0 contribute                     Contribute.json implemented with the required contact information.
    0 strict-transport-security      HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000).
    0 subresource-integrity          Subresource Integrity (SRI) is not needed since site contains no script tags.
    0 x-content-type-options         X-Content-Type-Options header set to "nosniff".
    0 x-frame-options                X-Frame-Options (XFO) header set to SAMEORIGIN or DENY.
    0 x-xss-protection               X-XSS-Protection header set to "1; mode=block".

Score: 55
Grade: C

Updated

2 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3543]
(Assignee)

Comment 1

2 years ago
We are addressing the -20 redirection penalty in bug 1302420.

:giorgos, could you recommend to us an appropriate Content-Security-Policy for the content served by this site - or, may we facilitate a discussion between you (or someone you recommend) and a CSP expert from our websec team?
Flags: needinfo?(giorgos)

Updated

2 years ago
Assignee: server-ops-webops → rsoderberg
(Assignee)

Updated

2 years ago
See Also: → bug 1058759
(In reply to Richard Soderberg [:atoll] from comment #1)
> :giorgos, could you recommend to us an appropriate Content-Security-Policy
> for the content served by this site - or, may we facilitate a discussion
> between you (or someone you recommend) and a CSP expert from our websec team?

We're already working on this and we'll be setting CSP headers in the origin.
Flags: needinfo?(giorgos)
(Assignee)

Comment 3

2 years ago
(In reply to Giorgos Logiotatidis [:giorgos] from comment #2)
> (In reply to Richard Soderberg [:atoll] from comment #1)
> > :giorgos, could you recommend to us an appropriate Content-Security-Policy
> > for the content served by this site - or, may we facilitate a discussion
> > between you (or someone you recommend) and a CSP expert from our websec team?
> 
> We're already working on this and we'll be setting CSP headers in the origin.

Excellent! Could you link us to the bug or issue tracking that work?
(In reply to Richard Soderberg [:atoll] from comment #3)
> Excellent! Could you link us to the bug or issue tracking that work?

Here you go https://bugzilla.mozilla.org/show_bug.cgi?id=1311677
(Assignee)

Comment 5

2 years ago
Awesome, thank you :) Closing this bug as WebOps has no remaining work, marking bug 1311677 as a dependency to keep tabs on it.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Depends on: 1311677
Resolution: --- → FIXED
(Assignee)

Comment 6

2 years ago
(There are now two dependent bugs that are both being worked on, one by us.)
(Assignee)

Updated

2 years ago
Blocks: 1309993
You need to log in before you can comment on or make changes to this bug.