Closed Bug 1335534 Opened 7 years ago Closed 3 years ago

Help improve security for patentquest website

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ellee, Assigned: April)

References

(
URL
)

Details

I ran https://patentquest.mozilla.org through Observatory and we did not get the required B+.

Can I get assistance from the WebDev team on fixing the issues on the site, and pass muster?
Component: Webdev → other.mozilla.org
Product: mozilla.org → Websites
Version: other → unspecified
Hi :reed, is this the right place for this bug?
Flags: needinfo?(reed)
EIS would probably know the better team than I would...
Component: other.mozilla.org → General
Flags: needinfo?(reed)
Product: Websites → Enterprise Information Security
Assignee: nobody → april
Status: NEW → ASSIGNED
I'm catching up on bugs but I hope to get a chance to take a look at this next week.  Thanks!
Friendly ping?
Flags: needinfo?(april)
Oh my gosh, lemme take a look at this now!
Flags: needinfo?(april)
Okay, here is a good start:

- Redirect from HTTP to HTTPS automatically (301 redirect)
- Set the following HTTP headers:

> Strict-Transport-Security: max-age=63072000
> X-Content-Type-Options: nosniff

Move this JavaScript code to one of the external JavaScript files:

    <script>
      document.querySelector('.walkthrough').addEventListener('click', function (e) {
        var tgt = e.target;
        if (tgt.classList.contains('walkthrough--toggle')) {
          for (var el = tgt; el.parentNode; el = el.parentNode) {
            if (el.classList.contains('walkthrough')) {
              if (el.classList.contains('walkthrough-open')) {
                tgt.innerHTML = '(show)';
                el.classList.remove('walkthrough-open');
              } else {
                tgt.innerHTML = '(hide)';
                el.classList.add('walkthrough-open');
              }
              break;
            }
          }
        }
      });
    </script>

Do the same with this:

    <script>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

      ga('create', 'UA-35433268-73', 'auto');
      ga('send', 'pageview');
    </script>

Once that is done, I can take a stab at improving things further.  Do you want me to open up a bug on GitHub? Is the project still being worked on? I don't see a commit in about a year.
It's no longer being actively developed. If you make an issue or PR on Github that'd be great though. :)

Part of the exercise for me is also so I can understand how website security is handled for our internal clients.
Flags: needinfo?(april)
BTW, I opened an issue on the patentquest github:

https://github.com/mozilla/ipquest/issues/27
Flags: needinfo?(april)

Should we consider decommissioning the patentquest website? It hasn't been updated in years, doesn't have mandatory HTTPS, and has been neglected from a security perspective.

It's a good question (should it be taken offline) but it looks like there's noone around that would be able to work on this. I'll close this ticket out as the original request for guidance on web standards has been met

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.