Closed
Bug 1335534
Opened 7 years ago
Closed 3 years ago
Help improve security for patentquest website
Categories
(Security Assurance :: General, task)
Security Assurance
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ellee, Assigned: April)
References
()
Details
I ran https://patentquest.mozilla.org through Observatory and we did not get the required B+. Can I get assistance from the WebDev team on fixing the issues on the site, and pass muster?
Updated•7 years ago
|
Component: Webdev → other.mozilla.org
Product: mozilla.org → Websites
Version: other → unspecified
Reporter | ||
Comment 1•7 years ago
|
||
Hi :reed, is this the right place for this bug?
Flags: needinfo?(reed)
Comment 2•7 years ago
|
||
EIS would probably know the better team than I would...
Component: other.mozilla.org → General
Flags: needinfo?(reed)
Product: Websites → Enterprise Information Security
Updated•7 years ago
|
Assignee: nobody → april
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•7 years ago
|
||
I'm catching up on bugs but I hope to get a chance to take a look at this next week. Thanks!
Assignee | ||
Comment 6•7 years ago
|
||
Okay, here is a good start: - Redirect from HTTP to HTTPS automatically (301 redirect) - Set the following HTTP headers: > Strict-Transport-Security: max-age=63072000 > X-Content-Type-Options: nosniff Move this JavaScript code to one of the external JavaScript files: <script> document.querySelector('.walkthrough').addEventListener('click', function (e) { var tgt = e.target; if (tgt.classList.contains('walkthrough--toggle')) { for (var el = tgt; el.parentNode; el = el.parentNode) { if (el.classList.contains('walkthrough')) { if (el.classList.contains('walkthrough-open')) { tgt.innerHTML = '(show)'; el.classList.remove('walkthrough-open'); } else { tgt.innerHTML = '(hide)'; el.classList.add('walkthrough-open'); } break; } } } }); </script> Do the same with this: <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-35433268-73', 'auto'); ga('send', 'pageview'); </script> Once that is done, I can take a stab at improving things further. Do you want me to open up a bug on GitHub? Is the project still being worked on? I don't see a commit in about a year.
Reporter | ||
Comment 7•7 years ago
|
||
It's no longer being actively developed. If you make an issue or PR on Github that'd be great though. :) Part of the exercise for me is also so I can understand how website security is handled for our internal clients.
Flags: needinfo?(april)
Assignee | ||
Comment 8•7 years ago
|
||
BTW, I opened an issue on the patentquest github: https://github.com/mozilla/ipquest/issues/27
Flags: needinfo?(april)
Assignee | ||
Comment 9•5 years ago
|
||
Should we consider decommissioning the patentquest website? It hasn't been updated in years, doesn't have mandatory HTTPS, and has been neglected from a security perspective.
Comment 10•3 years ago
|
||
It's a good question (should it be taken offline) but it looks like there's noone around that would be able to work on this. I'll close this ticket out as the original request for guidance on web standards has been met
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•