Closed Bug 1339940 Opened 8 years ago Closed 7 years ago

[li-00134461] [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org

Categories

(support.mozilla.org - Lithium :: General, defect, P2)

Product:
support.mozilla.org - Lithium
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID
Milestone:
2017q1

People

(Reporter: rolandtanglao, Assigned: rolandtanglao)

References

(
URL
)

Details

(Whiteboard: [1st2weeks] [li-00134461])

Attachments

(2 files, 1 obsolete file)

14april2017-mozilla.prod-csp-sanitized-report.csv
2.42 MB, text/csv
Details
01May2017-pre-csp-Observatory-scan.png
1.23 MB, image/png
Details
From https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy: Content Security Policy Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites. From: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org "FAIL -25 Content Security Policy (CSP) header not implemented" Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site. Note that disabling inline JavaScript means that all JavaScript must be loaded from <script> src tags . Event handlers such as onclick used directly on a tag will fail to work, as will JavaScript inside <script> tags but not loaded via src. Furthermore, inline stylesheets using either <style> tags or the style attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.
Summary: [observatory] Content Security Policy → [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
:april and :claudijd : what value should Lithium set the CSP Header to? (not sure what value is will make SUMO pass the scan after reading https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy , "Implementation Notes")
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Roland - the following is a starting point for your CSP policy on SUMO... Content-Security-Policy: default-src 'none'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://*.i.lithium.com/ https://www.google-analytics.com/; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.i.lithium.com https://www.google-analytics.com https://www.gravatar.com; font-src 'self'; connect-src 'self' https://pushy-live-prod-aws-us-west-1.prod.aws.lcloud.com/realtime/notification/bf59d9df-a534-49c1-b53b-c1e09f7a237a/1012898 wss://pushy-live-prod-aws-us-west-1.prod.aws.lcloud.com/realtime/notification/bf59d9df-a534-49c1-b53b-c1e09f7a237a/1012898; object-src 'none' I did some testing with a proxy by injecting this CSP policy into server responses while browsing SUMO and everything seemed to work. The only exception was that there was some flash calls in lia-scripts-head-min.js that when using this policy will generate some CSP errors. My assumption is that this isn't required for SUMO to function, but if so you may need to tune the object-src attribute to allow that bit. It's been set to 'none' above to be on the safe side. I should warn you that you should test this in staging to validate for yourself that the policy doesn't impact SUMO's operations. If you have questions, please let us know and we'll be happy to advise.
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Whiteboard: [1st2weeks] → [1st2weeks] [li-00134461]
Response from Lithium QUOTE Created By: Kris Stewart (2/23/2017 12:44 PM) [Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com] Hi Roland, Got it - thanks! I've relayed the header info to our engineering team to implement for CSP, alongside enabling HSTS support. We'll keep you posted on progress of setting that up. Aside from CSP and HSTS - which are in the process of being enabled now that we have the info - were there any other outstanding issues with the report we sent back your way? Thank you, Kris END QUOTE Assigning and needinfo'ing myself to see if I can verify on Monday February 27, 2017 when I get back
Flags: needinfo?(rtanglao)
Assignee: nobody → rtanglao
Flags: needinfo?(rtanglao)
still awaiting an update on CSP as of Monday Feb 27, 2017 re-needinfo'ing myself to check this later this week
Flags: needinfo?(rtanglao)
> Aside from CSP and HSTS - which are in the process of being enabled now that we have the info - were there any other outstanding issues with the report we sent back your way? It would be nice if they fixed any issues that the Observatory called out. We're getting good grades on AMO and BMO, I would like to see the same on SUMO, since it's one of our most visible websites.
Component: Lithium Migration → General
Flags: needinfo?(rtanglao)
Product: support.mozilla.org → support.mozilla.org - Lithium
Target Milestone: --- → 2017q1
Hi April and Jonathan: The Lithium folks have implemented CSP on stage: http://support-stage.allizom.org/ 1. Could one of you please test CSP on stage? Or tell me how to test CSP please? (stage is htaccess protected, I sent you both the htaccess password and userid via email) OR 2. Could one of tell me the IP address of the Mozilla observatory so they can whitelist it so we can use CSP without htaccess on stage? It would be great if 1 or 2. could be done by Tuesday March 7 at 9a.m. Pacific Cheers! ...Roland "unencumbered by CSP knowledge" :) Tanglao
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Roland: I provided the answer for #2 in another bug you NI'd us on.
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Hi Jonathan: The Lithium people would like to: enable CSP-Report-Only (they wrote in their support syste: "In regards to the CSP header, our engineering folks would like to enable CSP-Report-Only in order to gather information and apply the best header options that make sense. Do we have your blessing to do this? "). I googled it and found this on MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only According to that MDN page it appears that this is OK for experimentation. Jonathan: is this OK to try on production? (well on stage first of course but since it's read only is it fine to do on production right away?).
Flags: needinfo?(jclaudius)
Roland: You've got a "all clear" from me if they want to CSP report only to start. The end goal of course is to have an inforced policy, but this is a good first step.
Flags: needinfo?(jclaudius)
Roland: any updates on the CSP rollout here? Let me know if you need visibility to those see-also bugs that greg and I have linked in that could be mitigated by the CSP rollout.
Flags: needinfo?(rtanglao)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #10) Hi :claudijd, see inline below! > Roland: any updates on the CSP rollout here? Let me know if you need > visibility to those see-also bugs that greg and I have linked in that could if you referring to bug 1348172 and bug 1348170, yes I do have access, please give me access to any other bugs if there are any! > be mitigated by the CSP rollout. Here's my latest reply to Lithium (copied and pasted from their supportcase system which isn't public) BEGIN copy and paste from https://supportcases.lithium.com/50061000009MCTs Hi Kris: Re: Kris Stewart (3/15/2017 8:49 AM) [1] Have you deployed ng-csp="no-unsafe-eval" to stage i.e. removed "unsafe-eval" from the CSP on stage? (I agree with what you wrote based on my very limited understanding of angular.js and CSP) Sorry for my confusion because it's not clear. Please deploy it to stage if you haven't (it looks like you haven't based on this screenshot https://www.flickr.com/photos/roland/32714947994/in/dateposted-ff/ of stage: https://observatory.mozilla.org/analyze.html?host=support-stage.allizom.org ) and I will test but it looks like we have almost finished this! [2] I am unencumbered :-) by both angular.js and security knowledge (April King and Jonathan Claudius) so I have to believe our security team when they say we should update angular.js. Should I open a separate support case to get the angular.js update on the roadmap? Since it's a separate issue, right? Cheers! ...Roland [1] "Angular allows CSP without having to have unsafe-eval. Specifically, we have added the use of the ngCsp (https://docs.angularjs.org/api/ng/directive/ngCsp) angular feature with the value specified no-unsafe-eval. See here for more details. It's possible you may be seeing the issue detailed here: http://stackoverflow.com/questions/25503213/angularjs-uses-eval-in-chrome-extension " [2] "Regarding the version of angular we're currently running - there is no specific reason we are running this version, we just have not prioritized an update to the latest version. We can and we also may update, but currently this is not on our backlog. " END
Flags: needinfo?(rtanglao)
Attached file mozilla.prod-csp-sanitized-report.csv (obsolete) —
Created By: Kris Stewart (3/20/2017 9:31 AM) [Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com] [Attachments: mozilla.prod-csp-sanitized-report.csv] Hi all, I've attached a report compiled from when CSP was enabled in reporting mode. There's multiple domains reported and we don't want to just whitelist them all. Would you please take a look at your earliest convenience and send the report back my way once you've had an opportunity to review and decide which domains you'd like white listed? Best regards, Kris
April and Jonathan: regarding the list of domains in the attachment in comment 12 provided by Lithium. Is there a quick way to figure out which domains should be whitelisted? I've whittled down the list painstakingly by hand and come up with a WIP list Two questions: 1. Is there a better way for me to finish this list ? 2. And can you look at my WIP list [A]? Cheers (any help gratefully received since I don't know much about this stuff!)! ...Roland [A] == Good: == https://d2xvc2nqkduarq.cloudfront.net (amazon CDN) https://fonts.googleapis.com https://gateway.zscaler.net (cloud security?) https://cdncache-a.akamaihd.net (CDN?) addthis.com, addthisedge.com (Lithium share button) youtube.com lithium.com support.mozilla.org == Potentially bad: == streamrail.com (ad network) mxpnl.net (analyics) vpaid.js (ad network) stickyads (ad network) https://connectionstrenth.com (ad network) http://cdncash.net/ (ad network) https://vast.yashi.com (ad network) http://match.adsrvr.org/ (ad network) https://partner-key.me (not sure what this is?!?) https://fonts.gstatic.com (google analytics? google tracking?) https://static.cmptch.com (malware?) https://vid.springserve.com (ad network) https://adnotbad.com (ad network) https://takethatad.com (ad network) https://awaybird.ru (ad network?) https://data1.itineraire.info (?) https://sdk.streamrail.com (ad network) https://t.lkqd.net (ad network?) https://x.rafomedia.com (ad network) http://vid-io.springserve.com, (ad network) https://ads.adaptv.advertising.com (ad network)
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Roland: To pull in some context from one of the recent sec-bugs filed on SUMO, one of the things I learned is that Lithium supports HTML content in their support pages ( If I recall there was interest in turning this off ). I believe the reason you're seeing such a variety in the CSP reporting here is that you're likely seeing these reports on embedded user content. Instead of enumerating what is bad, I think we really should focus on what is needed for the site to operate, these are things that Lithium should be able to answer for us.
Flags: needinfo?(jclaudius)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #14) > Roland: To pull in some context from one of the recent sec-bugs filed on > SUMO, one of the things I learned is that Lithium supports HTML content in > their support pages ( If I recall there was interest in turning this off ). > I believe the reason you're seeing such a variety in the CSP reporting here > is that you're likely seeing these reports on embedded user content. > Instead of enumerating what is bad, I think we really should focus on what > is needed for the site to operate, these are things that Lithium should be > able to answer for us. hi jonathan: thanks again! SUMO content has html (well not arbitrary html but links, bold and other simple html) but if by support pages you mean some other conten on LIthium than SUMO content than yes they should be able to answer. But I can only guess that maybe SUMO content has some bad studff?!? Here's my final list: == Good == https://d2xvc2nqkduarq.cloudfront.net (amazon CDN) https://fonts.googleapis.com https://gateway.zscaler.net (cloud security?) https://cdncache-a.akamaihd.net (CDN?) addthis.com, addthisedge.com (Lithium share button) youtube.com lithium.com support.mozilla.org google.com hwsfp35778.i.lithium.com https://www.google-analytics.com https://code.jquery.com support.cdn.mozilla.net support.mozilla.org/legacy translate.google.com s3.amazonaws.com == Potentially bad == streamrail.com (ad network) mxpnl.net (analyics) vpaid.js (ad network) stickyads (ad network) https://connectionstrenth.com (ad network) http://cdncash.net/ (ad network) https://vast.yashi.com (ad network) http://match.adsrvr.org/ (ad network) https://partner-key.me (not sure what this is?!?) https://fonts.gstatic.com (google analytics? google tracking?) https://static.cmptch.com (malware?) https://vid.springserve.com (ad network) https://adnotbad.com (ad network) https://takethatad.com (ad network) https://awaybird.ru (ad network?) https://data1.itineraire.info (?) https://sdk.streamrail.com (ad network) https://t.lkqd.net (ad network?) https://x.rafomedia.com (ad network) http://vid-io.springserve.com, (ad network) https://ads.adaptv.advertising.com (ad network) apiboxrockinfo-a.akamaihd.net https://apienhancetronic-a.akamaihd.net https://asrvvv-a.akamaihd.net https://cleanbrowser-a.akamaihd.net https://intext-a.akamaihd.net https://savingsslider-a.akamaihd.net data1.allo-pages.fr data1.bilan-imc.fr https://fdz.octapi.net hm.baidu.com mc.yandex.com search-goo.com pstatic.bestpriceninja.com https://data1.imc-calcular.com https://cdn.optimatic.com https://cdn.hiberniacdn.com lb.apicit.net http://tags.clickintext.net net.ootil.fr cdn.visadd.com cjs.linkbolic.com d2a8a4q9.ssl.hwcdn.net mstat.acestream.net eluxer.net ext.kinoroombrowser.ru www.adstomat.ru tc.koushuidang.cn rdc.apicit.net https://www.findizer.fr jsl.infostatsvc.com s.igmhb.com https://system.donation-tools.org cdnins.123rede.com stags.bluekai.com i_tonginjs_info.tlscdn.com pixel.yabidos.com pstatic.davebestdeals.com https://qnp.demisedcolonnaded.com rules.similardeals.net data1.recettes.net foxi69.tlscdn.com istatic.eshopcomp.com findizer.fr data1.iti-maps.fr tags.clickintext.net app.davebestdeals.com 1087072589.rsc.cdn77.org qdatasales.com ezb.elvenmachine.com cdn-01.yumenetworks.com ads.contextweb.com fqtag.com platform.epiphanyai.com vast.bp3872166.btrll.com app.bestpriceninja.com data1.calcolo-bmi.com fp1f171.digitaloptout.com sgnr.bestpriceninja.com nps.noproblemppc.com pl.adsloads.com pstatic.bestpriceninja.com px.media-serving.com sovetnik.market.yandex.ru nps.noproblemppc.com https://data1.yummmi.es
Roland: Please keep in mind that CSP reports likely include CSP violations generated by people attempting to do security testing and their browser self-reporting violations. For anything you have in the "good" column, I would vet that list with Lithium. Everything else, assuming this just affects our instance of Lithium, is likely ok to let the CSP kick-in and stop these.
Flags: needinfo?(april)
Roland: How's this going? We're getting more and more reports of XSS issues in SUMO and this would probably help mitigate a lot of them.
Flags: needinfo?(rtanglao)
Still waiting Jonathan sad face here's the latest reply: BEGIN COPY AND PASTE FROM Lithium's non public case system Created By: Kris Stewart (4/11/2017 8:51 AM) [Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com] Hi all, Our engineering folks have been testing CSP daily in an effort to get the correct set of violations so we can began white listing, but they'd like a little more time as they suspect that many of the violations being reported are likely from user cache and will clear up within a few days for a more accurate scan. We can enable it today if needed, but the recommendation is to wait another 24-48 hours for a more detailed violation report. If you're fine with this plan or have any concerns, please just let me know. Thank you, Kris END COPY AND PASTE FROM Lithium's non public case system
Flags: needinfo?(rtanglao)
HI :claudijd If 24-48 hours is too slow, please ping me! Cheers! ...Roland
Flags: needinfo?(jclaudius)
Roland: that is fine.
Flags: needinfo?(jclaudius)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #16) > Roland: Please keep in mind that CSP reports likely include CSP violations > generated by people attempting to do security testing and their browser > self-reporting violations. For anything you have in the "good" column, I > would vet that list with Lithium. Everything else, assuming this just > affects our instance of Lithium, is likely ok to let the CSP kick-in and > stop these. i will vet the good column manually with lithium because obviously they didn't read thoroughly when relayed your comment :claudijd. They came back with another 7000 line file :-( (which I will attach). My full reply is at the end of this comment [1] Cheers! ...Roland [1] Created By: Sumo Team (4/24/2017 2:41 PM) Hi Kris: I will look at your 7000 line file today! Again like our security folks, I still don't understand why you can't give us a list of sites Lithium needs to run the site instead of giving us a 7000 line file. Again here's what our security folks said: "I think we really should focus on what is needed for the site to operate, these are things that Lithium should be able to answer for us" What am I missing? I'm honestly not understanding this. Why can't you Lithium folks just give us a list of the sites you need for the site to operate.? Cheers! ...Roland "unencumbered by security knowledge and not looking forward to going through a 7000 line csv file manually" Tanglao :-)
here's the 7000 line csv file that i promised in comment 21 :claudijd if you have time please take a look otherwise i will go over the good list as per my comment in comment 21
Flags: needinfo?(jclaudius)
And here's the latest reply from Lithium [1]. As always, appreciate any insight you can give me :claudijd [1] (copy and pasted from Lithium's non public system) Created By: Kris Stewart (4/24/2017 2:48 PM) [Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com] Hi Roland, I've requested a whitelist from engineering, but the ask here is whether the non-Lithium domains found in report mode should be blocked or permitted. Many of these we're unable to reproduce and suspect they may be the result of add-ons. Best regards, Kris
hi again :claudijd I am puzzled by Kris's response: "I've requested a whitelist from engineering, but the ask here is whether the non-Lithium domains found in report mode should be blocked or permitted." My question to you :claudijd is: Wouldn't it be easier if Lithium Kris gave us the whitelist, then we could figure out which domains aren't on the Lithium engineering whitelist faster right? Anyways after much yak shaving which is documented here: https://github.com/rtanglao/rt-csp#24april2017-repeat-test-from-22march2017 I came up with my good and bad list. [1] https://github.com/rtanglao/rt-csp/blob/master/14april2017-mozilla-good-bad-domains.md I'll ask Lithium Kris to check my list [1] against the Lithium engineering whitelist. Cheers! ...Roland [1] = Probably Good = http://s3.amazonaws.com https://hwsfp35778.i.lithium.com https://s7.addthis.com (lithium share button?) addthis.com addthisedge.com addthiscdn.com https://d2xvc2nqkduarq.cloudfront.net (amazon CDN) cloudfront.net https://fonts.googleapis.com ajax.googleapis.com translate.googleapis.com https://gateway.zscaler.net (cloud security?) https://cdncache-a.akamaihd.net (CDN?) akamaihd.net youtube.com lithium.com support.mozilla.org mozilla.net mozilla.org google.com gstatic.com https://www.google-analytics.com https://code.jquery.com support.cdn.mozilla.net support.mozilla.org/legacy translate.google.com amazon.co.jp # start of domains hand added by Roland 14April2017 amazonaws.com bootstrapcdn.com cdn3.org cdnjs.org cdnnetwok.xyz googletagmanager.com googleusercontent.com googlevideo.com keycdn.com jquerylib.net netdna-ssl.com netwcdn.xyz opera-mini.net cloudflare.com validcdn.xyz = Probably Bad = https://pre.glotgrx.com https://jsl.infostatsvc.com 1087072589.rsc.cdn77.org 123rede.com 1rx.io acestream.net adap.tv adnotbad.com adsloads.com adsrvr.org adstomat.ru advertising.com allo-pages.fr altitude-arena.com altitudeplatform.com angsrvr.com apicit.net awaybird.ru baidu.com bestpriceninja.com bfmio.com bilan-imc.fr bluekai.com btrll.com calcolo-bmi.com casalemedia.com cdncash.net cdncash.org clickintext.net cmptch.com connectionstrenth.com contextweb.com davebestdeals.com de17a.com demisedcolonnaded.com digitaloptout.com donation-tools.org eluxer.net epiphanyai.com eshopcomp.com findizer.fr fqtag.com hwcdn.net igmhb.com imc-calcular.com infostatsvc.com iti-maps.fr itineraire.info kinoroombrowser.ru koushuidang.cn krxd.net linkbolic.com lkqd.net lm15d.com media-serving.com mega-tags.com mxpnl.net noproblemppc.com octapi.net ootil.fr optimatic.com partner-key.men q1media.com qdatasales.com rafomedia.com recettes.net rllcll.com search-goo.com sekindo.com similardeals.net springserve.com stickyadstv.com streamrail.com streamrail.net takethatad.com tlscdn.com urlvalidation.com vertamedia.com visadd.com yabidos.com yandex.ru yashi.com yumenetworks.com yummmi.es 2016olympics-br.com # START of domains added by Roland manually from 14April2017 spreadsheet 4iy269pif3b3dd.ru 6ef16ds1mocmo.ru abounddinged.com addomain.men adepty.org adforgecdn.com adforgeinc.com adsload.net adstarknetwork.com advpartners.org ahrefs.com akamoihd.net albumsuper.info alexasurfing.com algovid.com altruistictask.com am15.net amiouze.fr aniview.com anyclip-media.com apelsinnik.website appgogle.com aqovd.com avg.com beachfrontmedia.com beleelashoppersearch.com best-mind.men betteradssoftware.com bookhome.info booob.men buyads.men bymebiker.com chumcharter.com cignalio.com ciuvo.com corulka.net coull.com coullmedia.com cpvsoler.com dashbid.io dashbida.com dc121677.com dcbap.com decipheringwarns.com deferringplateaus.com deliads.com determineyourroad.com dfgio.com discountliv.com dpknlgtbjs.info fanqianbb.com fast-searcher-sng-v4.com fast-searcher-v5.com fast-searcher-ww-v3.com filmkaynagi.com hiberniacdn.com hosterads.men icafemanager.com igithab.com ima3vpaid.appspot.com imbueisotope.com imgsrv.io imgur.com inafqjanby.ru innoapi.info jollywallet.com journallingpercolates.com kaspersky-labs.com ketrananing.ru khojdeal.com kickassapp.com konflab.com lcloud.com lijit.com llnwd.net loadroute.ru mapsworldglobal.com max-endeavor.men max-up.men maxads.men maxeclat.men mecash.ru mein-bmi.com metabar.ru minperil.men moujaz.net msecnd.net multiverse.cm mxgetcode.com myie.cc n170adserv.com naver.com nicoext.com nwcdn.xyz odbabo.info ohoteldeals.com onclickcool.com onedrive.su onlinemegax.com outputsteddy.com partner-print.men partner-safe.men partners-ship.pro partnertrust.men pmddby.com pnamic.com portadd.men prod2016.com przelewy24.pl pubmatic.com purplestats.com qomesn.com quantserve.com quick-searcher-v4.biz quick-searcher-world-v2.biz rakuten.co.jp rangeblessedness.men rapturesriskier.com ratexchange.net refbut.ru regionu.men regionw.men safe-recommendations.appspot.com sakutraplin.com salivaunsnarlreprint.com sascdn.com schbot.ru screenz.info searchusd.com shoppingate.info shoppytoolmac.com siteheart.net slimness.fr smartadserver.com snowplanes.com spotscenered.info spotxchange.com squad-t.men srdrvp.com stats-collector.org stbridge.ru surfbuyermac.com tdsrmbl.net tekblue.net testersgroupfun.com tfxiq.com tidaltv.com tohotweb.com tr553.com tr563.com trafmag.com trendmicro.com trendmicro.jp trumpetedextremes.com trytoweb.pro uc.gre ucweb.com uczzd.cn unoadsrv.com unocdn.com uprise.website utop.it v207.info v24s.net video2mp3.at videojam.tv viglink.com vj-vid.com walkme.com walmart.com worldssl.net xcetkbl.com xn--wgbafiz2bycof.online yourads.website zryydi.com
I asked Lithium to provide the full Lithium engineering whitelist. See [1] [1] Created By: Sumo Team (4/24/2017 10:58 PM) hi again Kris I am puzzled by your response: "I've requested a whitelist from engineering, but the ask here is whether the non-Lithium domains found in report mode should be blocked or permitted." My question to you Kris is: Wouldn't it be easier if Lithium gave Mozilla the Lithium engineering whitelist, then Mozilla could figure out which domains aren't on the Lithium engineering whitelist faster right? Anyways after much yak shaving which is documented here: https://github.com/rtanglao/rt-csp#24april2017-repeat-test-from-22march2017 I came up with my good and bad list. https://github.com/rtanglao/rt-csp/blob/master/14april2017-mozilla-good-bad-domains.md [1] Kris: 1. Please check my list [1] against the Lithium engineering whitelist. 2. Please provide the Lithium engineering whitelist ASAP. Cheers! ...Roland
Roland: I don't believe the bad-list is relevant, per comment 16. The CSP policy is effectively a white-list, so anything not in the white-list/good-list is dropped, we'd ideally have 95% or more of that should come directly from the Lithium team. The extra 5% would be anything that we explicitly want to add in addition to the Lithium platform.
Flags: needinfo?(jclaudius)
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #26) > Roland: I don't believe the bad-list is relevant, per comment 16. The CSP > policy is effectively a white-list, so anything not in the > white-list/good-list is dropped, we'd ideally have 95% or more of that > should come directly from the Lithium team. The extra 5% would be anything > that we explicitly want to add in addition to the Lithium platform. cool, thanks for comment 26, i've relayed your comment to Lithium
Hi all: I asked Lithium to enable CSP on production [1] Cheers! ...Roland [1] Created By: Sumo Team (5/1/2017 10:35 AM) Hello Kris: Please enable CSP on production which currently is set to: hwsfp35778.lithium.com Cheers! ...Roland
hopefully once Lithium implements CSP on production which is currently hwsfp35778.lithium.com that this score will improve from F to something better.
Comment on attachment 8849445 [details] mozilla.prod-csp-sanitized-report.csv marking as obsolete, superseded by 14april2017 csv
Attachment #8849445 - Attachment is obsolete: true
Summary: [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org → [li-00134461] [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
Priority: -- → P2
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: