Help improve security for patentquest website

ASSIGNED
Assigned to

Status

Enterprise Information Security
General
ASSIGNED
a year ago
9 months ago

People

(Reporter: ellee, Assigned: April)

Tracking

Details

(URL)

I ran https://patentquest.mozilla.org through Observatory and we did not get the required B+.

Can I get assistance from the WebDev team on fixing the issues on the site, and pass muster?
Component: Webdev → other.mozilla.org
Product: mozilla.org → Websites
Version: other → unspecified
Hi :reed, is this the right place for this bug?
Flags: needinfo?(reed)
EIS would probably know the better team than I would...
Component: other.mozilla.org → General
Flags: needinfo?(reed)
Product: Websites → Enterprise Information Security
Assignee: nobody → april
Status: NEW → ASSIGNED
(Assignee)

Comment 3

a year ago
I'm catching up on bugs but I hope to get a chance to take a look at this next week.  Thanks!
Friendly ping?
Flags: needinfo?(april)
(Assignee)

Comment 5

9 months ago
Oh my gosh, lemme take a look at this now!
Flags: needinfo?(april)
(Assignee)

Comment 6

9 months ago
Okay, here is a good start:

- Redirect from HTTP to HTTPS automatically (301 redirect)
- Set the following HTTP headers:

> Strict-Transport-Security: max-age=63072000
> X-Content-Type-Options: nosniff

Move this JavaScript code to one of the external JavaScript files:

    <script>
      document.querySelector('.walkthrough').addEventListener('click', function (e) {
        var tgt = e.target;
        if (tgt.classList.contains('walkthrough--toggle')) {
          for (var el = tgt; el.parentNode; el = el.parentNode) {
            if (el.classList.contains('walkthrough')) {
              if (el.classList.contains('walkthrough-open')) {
                tgt.innerHTML = '(show)';
                el.classList.remove('walkthrough-open');
              } else {
                tgt.innerHTML = '(hide)';
                el.classList.add('walkthrough-open');
              }
              break;
            }
          }
        }
      });
    </script>

Do the same with this:

    <script>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

      ga('create', 'UA-35433268-73', 'auto');
      ga('send', 'pageview');
    </script>

Once that is done, I can take a stab at improving things further.  Do you want me to open up a bug on GitHub? Is the project still being worked on? I don't see a commit in about a year.
It's no longer being actively developed. If you make an issue or PR on Github that'd be great though. :)

Part of the exercise for me is also so I can understand how website security is handled for our internal clients.
Flags: needinfo?(april)
(Assignee)

Comment 8

9 months ago
BTW, I opened an issue on the patentquest github:

https://github.com/mozilla/ipquest/issues/27
Flags: needinfo?(april)
You need to log in before you can comment on or make changes to this bug.