Closed Bug 1336590 Opened 7 years ago Closed 7 years ago

Implement CSP: frame-ancestors on hg.m.o

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: gps)

Details

Attachments

(1 file)

ansible/hg-web: add "frame-ancestors: https:" to CSP (bug 1336590);
59 bytes, text/x-review-board-request
fubar
: review+
Details 
Please add the 'frame-ancestors' property, with whatever value is deemed appropriate, to the hg.m.o CSP header. This will remove the following negative:

  X Frame Options                [-20]  X-Frame-Options (XFO) header not implemented

And replace it with either a lesser penalty or no penalty, depending on what frame-ancestors choice is made.

There are three possible frame-ancestors choice to make here:

1) Prohibit all framing of hg.mozilla.org by all sites.

2) Permit framing of hg.mozilla.org by certain sites.

3) Permit framing of hg.mozilla.org by HTTPS sites.

4) Permit framing of hg.mozilla.org by all sites.

Currently, the lack of XFO+CSP:f-a means that we're defaulting to policy 4) above. It's perfectly acceptable to explicitly declare policy 3) or 4), which provides a score boost versus today: a stated policy is better than none at all.

Unless hg.m.o has specific reason to restrict being framed within other sites, I advise shipping 3) to address this penalty. The specific policy I advise is:

Content-Security-Policy: ...; frame-ancestors: https: ; ...

This will require sites that want to embed hg.m.o in a frame to, themselves, be served over HTTPS. However, if you wanted policy 4) instead:

Content-Security-Policy: ...; frame-ancestors: * ; ...

There may be more nuance available here - for instance, instead of *, you could say https: http:. Or instead of https:, you could say https: file:. Whatever decision is reached, we're available to assist with representing it in CSP form.

(The X-Frame-Options header cannot represent this level of nuance, and once CSP: frame-ancestors is present, is ignored entirely, which is why this bug focuses on f-a and not XFO.)
Flags: needinfo?(gps)
This should be trivial...
Assignee: nobody → gps
Status: NEW → ASSIGNED
Flags: needinfo?(gps)
Comment on attachment 8869277 [details]
ansible/hg-web: add "frame-ancestors: https:" to CSP (bug 1336590);

https://reviewboard.mozilla.org/r/140840/#review144594
Attachment #8869277 - Flags: review?(klibby) → review+
And my axe.
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/5ce8224bb603
ansible/hg-web: add "frame-ancestors: https:" to CSP ; r=fubar
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
I'll likely hold off deploying this until next week because Friday.
This is currently deploying. Should be active in <120s.
This failed to move the needle on our observatory score because we didn't add the XFO header. Do we care?
Hm. Maybe my guidance was wrong! April?
Flags: needinfo?(april)
frame-ancestors should be all that you need; you shouldn't need XFO.  Let me see if there's a bug.
Oh, I see the problem.  You have:

> frame-ancestors: https:

It should be:

> frame-ancestors https:

You have a semi-colon after frame-ancestors, which makes it an invalid directive.
Aw, man. I'm so sorry. :(
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/17280488af9d
ansible/hg-web: remove errant colon from CSP
And with that deployed we're now at a 95/A rating.

Thanks, April!
Flags: needinfo?(april)
(In reply to Richard Soderberg [:atoll] from comment #0)
> (The X-Frame-Options header cannot represent this level of nuance, and once
> CSP: frame-ancestors is present, is ignored entirely, which is why this bug
> focuses on f-a and not XFO.)

Sadly, that's not true for Firefox. See bug #1024557.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: