Closed
Bug 1339940
Opened 8 years ago
Closed 7 years ago
[li-00134461] [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
Categories
(support.mozilla.org - Lithium :: General, defect, P2)
support.mozilla.org - Lithium
General
Tracking
(Not tracked)
RESOLVED
INVALID
2017q1
People
(Reporter: rolandtanglao, Assigned: rolandtanglao)
References
()
Details
(Whiteboard: [1st2weeks] [li-00134461])
Attachments
(2 files, 1 obsolete file)
From https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy:
Content Security Policy
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.
From: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
"FAIL -25 Content Security Policy (CSP) header not implemented"
Please change the CSP header so that it passes the scan at:
https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.
Note that disabling inline JavaScript means that all JavaScript must be loaded from <script> src tags . Event handlers such as onclick used directly on a tag will fail to work, as will JavaScript inside <script> tags but not loaded via src. Furthermore, inline stylesheets using either <style> tags or the style attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.
Assignee | ||
Updated•8 years ago
|
Summary: [observatory] Content Security Policy → [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
Assignee | ||
Updated•8 years ago
|
Whiteboard: [1st2weeks]
Assignee | ||
Comment 1•8 years ago
|
||
:april and :claudijd : what value should Lithium set the CSP Header to? (not sure what value is will make SUMO pass the scan after reading https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy , "Implementation Notes")
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Comment 2•8 years ago
|
||
Roland - the following is a starting point for your CSP policy on SUMO...
Content-Security-Policy: default-src 'none'; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://*.i.lithium.com/ https://www.google-analytics.com/; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://*.i.lithium.com https://www.google-analytics.com https://www.gravatar.com; font-src 'self'; connect-src 'self' https://pushy-live-prod-aws-us-west-1.prod.aws.lcloud.com/realtime/notification/bf59d9df-a534-49c1-b53b-c1e09f7a237a/1012898 wss://pushy-live-prod-aws-us-west-1.prod.aws.lcloud.com/realtime/notification/bf59d9df-a534-49c1-b53b-c1e09f7a237a/1012898; object-src 'none'
I did some testing with a proxy by injecting this CSP policy into server responses while browsing SUMO and everything seemed to work. The only exception was that there was some flash calls in lia-scripts-head-min.js that when using this policy will generate some CSP errors. My assumption is that this isn't required for SUMO to function, but if so you may need to tune the object-src attribute to allow that bit. It's been set to 'none' above to be on the safe side.
I should warn you that you should test this in staging to validate for yourself that the policy doesn't impact SUMO's operations. If you have questions, please let us know and we'll be happy to advise.
Flags: needinfo?(jclaudius)
Updated•8 years ago
|
Flags: needinfo?(april)
Assignee | ||
Updated•8 years ago
|
Whiteboard: [1st2weeks] → [1st2weeks] [li-00134461]
Assignee | ||
Comment 3•8 years ago
|
||
Response from Lithium
QUOTE
Created By: Kris Stewart (2/23/2017 12:44 PM)
[Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com]
Hi Roland,
Got it - thanks! I've relayed the header info to our engineering team to implement for CSP, alongside enabling HSTS support. We'll keep you posted on progress of setting that up.
Aside from CSP and HSTS - which are in the process of being enabled now that we have the info - were there any other outstanding issues with the report we sent back your way?
Thank you,
Kris
END QUOTE
Assigning and needinfo'ing myself to see if I can verify on Monday February 27, 2017 when I get back
Flags: needinfo?(rtanglao)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → rtanglao
Flags: needinfo?(rtanglao)
Assignee | ||
Comment 4•8 years ago
|
||
still awaiting an update on CSP as of Monday Feb 27, 2017
re-needinfo'ing myself to check this later this week
Flags: needinfo?(rtanglao)
Comment 5•8 years ago
|
||
> Aside from CSP and HSTS - which are in the process of being enabled now that we have the info - were there any other outstanding issues with the report we sent back your way?
It would be nice if they fixed any issues that the Observatory called out. We're getting good grades on AMO and BMO, I would like to see the same on SUMO, since it's one of our most visible websites.
Assignee | ||
Updated•8 years ago
|
Component: Lithium Migration → General
Flags: needinfo?(rtanglao)
Product: support.mozilla.org → support.mozilla.org - Lithium
Target Milestone: --- → 2017q1
Assignee | ||
Comment 6•8 years ago
|
||
Hi April and Jonathan:
The Lithium folks have implemented CSP on stage:
http://support-stage.allizom.org/
1. Could one of you please test CSP on stage? Or tell me how to test CSP please? (stage is htaccess protected, I sent you both the htaccess password and userid via email)
OR
2. Could one of tell me the IP address of the Mozilla observatory so they can whitelist it so we can use CSP without htaccess on stage?
It would be great if 1 or 2. could be done by Tuesday March 7 at 9a.m. Pacific
Cheers!
...Roland "unencumbered by CSP knowledge" :) Tanglao
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Comment 7•8 years ago
|
||
Roland: I provided the answer for #2 in another bug you NI'd us on.
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Assignee | ||
Comment 8•8 years ago
|
||
Hi Jonathan:
The Lithium people would like to:
enable CSP-Report-Only (they wrote in their support syste: "In regards to the CSP header, our engineering folks would like to enable CSP-Report-Only in order to gather information and apply the best header options that make sense. Do we have your blessing to do this? ").
I googled it and found this on MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
According to that MDN page it appears that this is OK for experimentation.
Jonathan: is this OK to try on production? (well on stage first of course but since it's read only is it fine to do on production right away?).
Flags: needinfo?(jclaudius)
Comment 9•8 years ago
|
||
Roland: You've got a "all clear" from me if they want to CSP report only to start. The end goal of course is to have an inforced policy, but this is a good first step.
Flags: needinfo?(jclaudius)
Comment 10•8 years ago
|
||
Roland: any updates on the CSP rollout here? Let me know if you need visibility to those see-also bugs that greg and I have linked in that could be mitigated by the CSP rollout.
Updated•8 years ago
|
Flags: needinfo?(rtanglao)
Assignee | ||
Comment 11•8 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #10)
Hi :claudijd, see inline below!
> Roland: any updates on the CSP rollout here? Let me know if you need
> visibility to those see-also bugs that greg and I have linked in that could
if you referring to bug 1348172 and bug 1348170, yes I do have access, please give me access to any other
bugs if there are any!
> be mitigated by the CSP rollout.
Here's my latest reply to Lithium (copied and pasted from their supportcase system which isn't public)
BEGIN copy and paste from https://supportcases.lithium.com/50061000009MCTs
Hi Kris:
Re: Kris Stewart (3/15/2017 8:49 AM)
[1] Have you deployed ng-csp="no-unsafe-eval" to stage i.e. removed "unsafe-eval" from the CSP on stage? (I agree with what you wrote based on my very limited understanding of angular.js and CSP)
Sorry for my confusion because it's not clear. Please deploy it to stage if you haven't (it looks like you haven't based on this screenshot https://www.flickr.com/photos/roland/32714947994/in/dateposted-ff/ of stage: https://observatory.mozilla.org/analyze.html?host=support-stage.allizom.org ) and I will test but it looks like we have almost finished this!
[2] I am unencumbered :-) by both angular.js and security knowledge (April King and Jonathan Claudius) so I have to believe our security team when they say we should update angular.js. Should I open a separate support case to get the angular.js update on the roadmap? Since it's a separate issue, right?
Cheers!
...Roland
[1]
"Angular allows CSP without having to have
unsafe-eval. Specifically, we have added the use of the ngCsp
(https://docs.angularjs.org/api/ng/directive/ngCsp) angular feature
with the value specified no-unsafe-eval. See here for more
details. It's possible you may be seeing the issue detailed here:
http://stackoverflow.com/questions/25503213/angularjs-uses-eval-in-chrome-extension
"
[2]
"Regarding the version of angular we're currently running - there
is no specific reason we are running this version, we just have not
prioritized an update to the latest version. We can and we also may
update, but currently this is not on our backlog.
"
END
Flags: needinfo?(rtanglao)
Assignee | ||
Updated•8 years ago
|
Assignee | ||
Comment 12•8 years ago
|
||
Created By: Kris Stewart (3/20/2017 9:31 AM)
[Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com]
[Attachments: mozilla.prod-csp-sanitized-report.csv]
Hi all,
I've attached a report compiled from when CSP was enabled in reporting mode.
There's multiple domains reported and we don't want to just whitelist them all. Would you please take a look at your earliest convenience and send the report back my way once you've had an opportunity to review and decide which domains you'd like white listed?
Best regards,
Kris
Assignee | ||
Comment 13•8 years ago
|
||
April and Jonathan: regarding the list of domains in the attachment in comment 12 provided by Lithium. Is there a quick way to figure out which domains should be whitelisted?
I've whittled down the list painstakingly by hand and come up with a WIP list
Two questions:
1. Is there a better way for me to finish this list ?
2. And can you look at my WIP list [A]?
Cheers (any help gratefully received since I don't know much about this stuff!)!
...Roland
[A]
== Good: ==
https://d2xvc2nqkduarq.cloudfront.net (amazon CDN)
https://fonts.googleapis.com
https://gateway.zscaler.net (cloud security?)
https://cdncache-a.akamaihd.net (CDN?)
addthis.com, addthisedge.com (Lithium share button)
youtube.com
lithium.com
support.mozilla.org
== Potentially bad: ==
streamrail.com (ad network)
mxpnl.net (analyics)
vpaid.js (ad network)
stickyads (ad network)
https://connectionstrenth.com (ad network)
http://cdncash.net/ (ad network)
https://vast.yashi.com (ad network)
http://match.adsrvr.org/ (ad network)
https://partner-key.me (not sure what this is?!?)
https://fonts.gstatic.com (google analytics? google tracking?)
https://static.cmptch.com (malware?)
https://vid.springserve.com (ad network)
https://adnotbad.com (ad network)
https://takethatad.com (ad network)
https://awaybird.ru (ad network?)
https://data1.itineraire.info (?)
https://sdk.streamrail.com (ad network)
https://t.lkqd.net (ad network?)
https://x.rafomedia.com (ad network)
http://vid-io.springserve.com, (ad network)
https://ads.adaptv.advertising.com (ad network)
Flags: needinfo?(jclaudius)
Flags: needinfo?(april)
Comment 14•8 years ago
|
||
Roland: To pull in some context from one of the recent sec-bugs filed on SUMO, one of the things I learned is that Lithium supports HTML content in their support pages ( If I recall there was interest in turning this off ). I believe the reason you're seeing such a variety in the CSP reporting here is that you're likely seeing these reports on embedded user content. Instead of enumerating what is bad, I think we really should focus on what is needed for the site to operate, these are things that Lithium should be able to answer for us.
Flags: needinfo?(jclaudius)
Assignee | ||
Comment 15•8 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #14)
> Roland: To pull in some context from one of the recent sec-bugs filed on
> SUMO, one of the things I learned is that Lithium supports HTML content in
> their support pages ( If I recall there was interest in turning this off ).
> I believe the reason you're seeing such a variety in the CSP reporting here
> is that you're likely seeing these reports on embedded user content.
> Instead of enumerating what is bad, I think we really should focus on what
> is needed for the site to operate, these are things that Lithium should be
> able to answer for us.
hi jonathan: thanks again!
SUMO content has html (well not arbitrary html but links, bold and other simple html) but if by support pages you mean some other conten on LIthium than SUMO content than yes they should be able to answer. But I can only guess that maybe SUMO content has some bad studff?!?
Here's my final list:
== Good ==
https://d2xvc2nqkduarq.cloudfront.net (amazon CDN)
https://fonts.googleapis.com
https://gateway.zscaler.net (cloud security?)
https://cdncache-a.akamaihd.net (CDN?)
addthis.com, addthisedge.com (Lithium share button)
youtube.com
lithium.com
support.mozilla.org
google.com
hwsfp35778.i.lithium.com
https://www.google-analytics.com
https://code.jquery.com
support.cdn.mozilla.net
support.mozilla.org/legacy
translate.google.com
s3.amazonaws.com
== Potentially bad ==
streamrail.com (ad network)
mxpnl.net (analyics)
vpaid.js (ad network)
stickyads (ad network)
https://connectionstrenth.com (ad network)
http://cdncash.net/ (ad network)
https://vast.yashi.com (ad network)
http://match.adsrvr.org/ (ad network)
https://partner-key.me (not sure what this is?!?)
https://fonts.gstatic.com (google analytics? google tracking?)
https://static.cmptch.com (malware?)
https://vid.springserve.com (ad network)
https://adnotbad.com (ad network)
https://takethatad.com (ad network)
https://awaybird.ru (ad network?)
https://data1.itineraire.info (?)
https://sdk.streamrail.com (ad network)
https://t.lkqd.net (ad network?)
https://x.rafomedia.com (ad network)
http://vid-io.springserve.com, (ad network)
https://ads.adaptv.advertising.com (ad network)
apiboxrockinfo-a.akamaihd.net
https://apienhancetronic-a.akamaihd.net
https://asrvvv-a.akamaihd.net
https://cleanbrowser-a.akamaihd.net
https://intext-a.akamaihd.net
https://savingsslider-a.akamaihd.net
data1.allo-pages.fr
data1.bilan-imc.fr
https://fdz.octapi.net
hm.baidu.com
mc.yandex.com
search-goo.com
pstatic.bestpriceninja.com
https://data1.imc-calcular.com
https://cdn.optimatic.com
https://cdn.hiberniacdn.com
lb.apicit.net
http://tags.clickintext.net
net.ootil.fr
cdn.visadd.com
cjs.linkbolic.com
d2a8a4q9.ssl.hwcdn.net
mstat.acestream.net
eluxer.net
ext.kinoroombrowser.ru
www.adstomat.ru
tc.koushuidang.cn
rdc.apicit.net
https://www.findizer.fr
jsl.infostatsvc.com
s.igmhb.com
https://system.donation-tools.org
cdnins.123rede.com
stags.bluekai.com
i_tonginjs_info.tlscdn.com
pixel.yabidos.com
pstatic.davebestdeals.com
https://qnp.demisedcolonnaded.com
rules.similardeals.net
data1.recettes.net
foxi69.tlscdn.com
istatic.eshopcomp.com
findizer.fr
data1.iti-maps.fr
tags.clickintext.net
app.davebestdeals.com
1087072589.rsc.cdn77.org
qdatasales.com
ezb.elvenmachine.com
cdn-01.yumenetworks.com
ads.contextweb.com
fqtag.com
platform.epiphanyai.com
vast.bp3872166.btrll.com
app.bestpriceninja.com
data1.calcolo-bmi.com
fp1f171.digitaloptout.com
sgnr.bestpriceninja.com
nps.noproblemppc.com
pl.adsloads.com
pstatic.bestpriceninja.com
px.media-serving.com
sovetnik.market.yandex.ru
nps.noproblemppc.com
https://data1.yummmi.es
Comment 16•8 years ago
|
||
Roland: Please keep in mind that CSP reports likely include CSP violations generated by people attempting to do security testing and their browser self-reporting violations. For anything you have in the "good" column, I would vet that list with Lithium. Everything else, assuming this just affects our instance of Lithium, is likely ok to let the CSP kick-in and stop these.
Updated•8 years ago
|
Flags: needinfo?(april)
Comment 17•8 years ago
|
||
Roland: How's this going? We're getting more and more reports of XSS issues in SUMO and this would probably help mitigate a lot of them.
Flags: needinfo?(rtanglao)
Assignee | ||
Comment 18•8 years ago
|
||
Still waiting Jonathan sad face
here's the latest reply:
BEGIN COPY AND PASTE FROM Lithium's non public case system
Created By: Kris Stewart (4/11/2017 8:51 AM)
[Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com]
Hi all,
Our engineering folks have been testing CSP daily in an effort to get the correct set of violations so we can began white listing, but they'd like a little more time as they suspect that many of the violations being reported are likely from user cache and will clear up within a few days for a more accurate scan.
We can enable it today if needed, but the recommendation is to wait another 24-48 hours for a more detailed violation report.
If you're fine with this plan or have any concerns, please just let me know.
Thank you,
Kris
END COPY AND PASTE FROM Lithium's non public case system
Flags: needinfo?(rtanglao)
Assignee | ||
Comment 19•8 years ago
|
||
HI :claudijd
If 24-48 hours is too slow, please ping me!
Cheers!
...Roland
Flags: needinfo?(jclaudius)
Assignee | ||
Comment 21•8 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #16)
> Roland: Please keep in mind that CSP reports likely include CSP violations
> generated by people attempting to do security testing and their browser
> self-reporting violations. For anything you have in the "good" column, I
> would vet that list with Lithium. Everything else, assuming this just
> affects our instance of Lithium, is likely ok to let the CSP kick-in and
> stop these.
i will vet the good column manually with lithium because obviously they didn't read thoroughly when relayed your comment :claudijd. They came back with another 7000 line file :-( (which I will attach). My full reply is at the end of this comment [1]
Cheers!
...Roland
[1]
Created By: Sumo Team (4/24/2017 2:41 PM)
Hi Kris:
I will look at your 7000 line file today!
Again like our security folks, I still don't understand why you can't give us a list of sites Lithium needs to run the site instead of giving us a 7000 line file. Again here's what our security folks said:
"I think we really should focus on what is needed for the site to operate, these are things that Lithium should be able to answer for us"
What am I missing? I'm honestly not understanding this. Why can't you Lithium folks just give us a list of the sites you need for the site to operate.?
Cheers!
...Roland "unencumbered by security knowledge and not looking forward to going through a 7000 line csv file manually" Tanglao :-)
Assignee | ||
Comment 22•8 years ago
|
||
here's the 7000 line csv file that i promised in comment 21
:claudijd if you have time please take a look
otherwise i will go over the good list as per my comment in comment 21
Flags: needinfo?(jclaudius)
Assignee | ||
Comment 23•8 years ago
|
||
And here's the latest reply from Lithium [1]. As always, appreciate any insight you can give me :claudijd
[1] (copy and pasted from Lithium's non public system)
Created By: Kris Stewart (4/24/2017 2:48 PM)
[Recipients: Patrick McClard, Scott Riley, Ryan Ausano, Lisa Hern, rtanglao@mozilla.com]
Hi Roland,
I've requested a whitelist from engineering, but the ask here is whether the non-Lithium domains found in report mode should be blocked or permitted. Many of these we're unable to reproduce and suspect they may be the result of add-ons.
Best regards,
Kris
Assignee | ||
Comment 24•8 years ago
|
||
hi again :claudijd
I am puzzled by Kris's response:
"I've requested a whitelist from engineering, but the ask here is whether the non-Lithium domains found in report mode should be blocked or permitted."
My question to you :claudijd is: Wouldn't it be easier if Lithium Kris gave us the whitelist, then we could figure out which domains aren't on the Lithium engineering whitelist faster right?
Anyways after much yak shaving which is documented here:
https://github.com/rtanglao/rt-csp#24april2017-repeat-test-from-22march2017
I came up with my good and bad list. [1]
https://github.com/rtanglao/rt-csp/blob/master/14april2017-mozilla-good-bad-domains.md
I'll ask Lithium Kris to check my list [1] against the Lithium engineering whitelist.
Cheers!
...Roland
[1]
= Probably Good =
http://s3.amazonaws.com
https://hwsfp35778.i.lithium.com
https://s7.addthis.com (lithium share button?)
addthis.com
addthisedge.com
addthiscdn.com
https://d2xvc2nqkduarq.cloudfront.net (amazon CDN)
cloudfront.net
https://fonts.googleapis.com
ajax.googleapis.com
translate.googleapis.com
https://gateway.zscaler.net (cloud security?)
https://cdncache-a.akamaihd.net (CDN?)
akamaihd.net
youtube.com
lithium.com
support.mozilla.org
mozilla.net
mozilla.org
google.com
gstatic.com
https://www.google-analytics.com
https://code.jquery.com
support.cdn.mozilla.net
support.mozilla.org/legacy
translate.google.com
amazon.co.jp # start of domains hand added by Roland 14April2017
amazonaws.com
bootstrapcdn.com
cdn3.org
cdnjs.org
cdnnetwok.xyz
googletagmanager.com
googleusercontent.com
googlevideo.com
keycdn.com
jquerylib.net
netdna-ssl.com
netwcdn.xyz
opera-mini.net
cloudflare.com
validcdn.xyz
= Probably Bad =
https://pre.glotgrx.com
https://jsl.infostatsvc.com
1087072589.rsc.cdn77.org
123rede.com
1rx.io
acestream.net
adap.tv
adnotbad.com
adsloads.com
adsrvr.org
adstomat.ru
advertising.com
allo-pages.fr
altitude-arena.com
altitudeplatform.com
angsrvr.com
apicit.net
awaybird.ru
baidu.com
bestpriceninja.com
bfmio.com
bilan-imc.fr
bluekai.com
btrll.com
calcolo-bmi.com
casalemedia.com
cdncash.net
cdncash.org
clickintext.net
cmptch.com
connectionstrenth.com
contextweb.com
davebestdeals.com
de17a.com
demisedcolonnaded.com
digitaloptout.com
donation-tools.org
eluxer.net
epiphanyai.com
eshopcomp.com
findizer.fr
fqtag.com
hwcdn.net
igmhb.com
imc-calcular.com
infostatsvc.com
iti-maps.fr
itineraire.info
kinoroombrowser.ru
koushuidang.cn
krxd.net
linkbolic.com
lkqd.net
lm15d.com
media-serving.com
mega-tags.com
mxpnl.net
noproblemppc.com
octapi.net
ootil.fr
optimatic.com
partner-key.men
q1media.com
qdatasales.com
rafomedia.com
recettes.net
rllcll.com
search-goo.com
sekindo.com
similardeals.net
springserve.com
stickyadstv.com
streamrail.com
streamrail.net
takethatad.com
tlscdn.com
urlvalidation.com
vertamedia.com
visadd.com
yabidos.com
yandex.ru
yashi.com
yumenetworks.com
yummmi.es
2016olympics-br.com # START of domains added by Roland manually from 14April2017 spreadsheet
4iy269pif3b3dd.ru
6ef16ds1mocmo.ru
abounddinged.com
addomain.men
adepty.org
adforgecdn.com
adforgeinc.com
adsload.net
adstarknetwork.com
advpartners.org
ahrefs.com
akamoihd.net
albumsuper.info
alexasurfing.com
algovid.com
altruistictask.com
am15.net
amiouze.fr
aniview.com
anyclip-media.com
apelsinnik.website
appgogle.com
aqovd.com
avg.com
beachfrontmedia.com
beleelashoppersearch.com
best-mind.men
betteradssoftware.com
bookhome.info
booob.men
buyads.men
bymebiker.com
chumcharter.com
cignalio.com
ciuvo.com
corulka.net
coull.com
coullmedia.com
cpvsoler.com
dashbid.io
dashbida.com
dc121677.com
dcbap.com
decipheringwarns.com
deferringplateaus.com
deliads.com
determineyourroad.com
dfgio.com
discountliv.com
dpknlgtbjs.info
fanqianbb.com
fast-searcher-sng-v4.com
fast-searcher-v5.com
fast-searcher-ww-v3.com
filmkaynagi.com
hiberniacdn.com
hosterads.men
icafemanager.com
igithab.com
ima3vpaid.appspot.com
imbueisotope.com
imgsrv.io
imgur.com
inafqjanby.ru
innoapi.info
jollywallet.com
journallingpercolates.com
kaspersky-labs.com
ketrananing.ru
khojdeal.com
kickassapp.com
konflab.com
lcloud.com
lijit.com
llnwd.net
loadroute.ru
mapsworldglobal.com
max-endeavor.men
max-up.men
maxads.men
maxeclat.men
mecash.ru
mein-bmi.com
metabar.ru
minperil.men
moujaz.net
msecnd.net
multiverse.cm
mxgetcode.com
myie.cc
n170adserv.com
naver.com
nicoext.com
nwcdn.xyz
odbabo.info
ohoteldeals.com
onclickcool.com
onedrive.su
onlinemegax.com
outputsteddy.com
partner-print.men
partner-safe.men
partners-ship.pro
partnertrust.men
pmddby.com
pnamic.com
portadd.men
prod2016.com
przelewy24.pl
pubmatic.com
purplestats.com
qomesn.com
quantserve.com
quick-searcher-v4.biz
quick-searcher-world-v2.biz
rakuten.co.jp
rangeblessedness.men
rapturesriskier.com
ratexchange.net
refbut.ru
regionu.men
regionw.men
safe-recommendations.appspot.com
sakutraplin.com
salivaunsnarlreprint.com
sascdn.com
schbot.ru
screenz.info
searchusd.com
shoppingate.info
shoppytoolmac.com
siteheart.net
slimness.fr
smartadserver.com
snowplanes.com
spotscenered.info
spotxchange.com
squad-t.men
srdrvp.com
stats-collector.org
stbridge.ru
surfbuyermac.com
tdsrmbl.net
tekblue.net
testersgroupfun.com
tfxiq.com
tidaltv.com
tohotweb.com
tr553.com
tr563.com
trafmag.com
trendmicro.com
trendmicro.jp
trumpetedextremes.com
trytoweb.pro
uc.gre
ucweb.com
uczzd.cn
unoadsrv.com
unocdn.com
uprise.website
utop.it
v207.info
v24s.net
video2mp3.at
videojam.tv
viglink.com
vj-vid.com
walkme.com
walmart.com
worldssl.net
xcetkbl.com
xn--wgbafiz2bycof.online
yourads.website
zryydi.com
Assignee | ||
Comment 25•8 years ago
|
||
I asked Lithium to provide the full Lithium engineering whitelist. See [1]
[1]
Created By: Sumo Team (4/24/2017 10:58 PM)
hi again Kris
I am puzzled by your response:
"I've requested a whitelist from engineering, but the ask here is whether the non-Lithium domains found in report mode should be blocked or permitted."
My question to you Kris is: Wouldn't it be easier if Lithium gave Mozilla the Lithium engineering whitelist, then Mozilla could figure out which domains aren't on the Lithium engineering whitelist faster right?
Anyways after much yak shaving which is documented here:
https://github.com/rtanglao/rt-csp#24april2017-repeat-test-from-22march2017
I came up with my good and bad list.
https://github.com/rtanglao/rt-csp/blob/master/14april2017-mozilla-good-bad-domains.md [1]
Kris:
1. Please check my list [1] against the Lithium engineering whitelist.
2. Please provide the Lithium engineering whitelist ASAP.
Cheers!
...Roland
Comment 26•8 years ago
|
||
Roland: I don't believe the bad-list is relevant, per comment 16. The CSP policy is effectively a white-list, so anything not in the white-list/good-list is dropped, we'd ideally have 95% or more of that should come directly from the Lithium team. The extra 5% would be anything that we explicitly want to add in addition to the Lithium platform.
Flags: needinfo?(jclaudius)
Assignee | ||
Comment 27•8 years ago
|
||
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #26)
> Roland: I don't believe the bad-list is relevant, per comment 16. The CSP
> policy is effectively a white-list, so anything not in the
> white-list/good-list is dropped, we'd ideally have 95% or more of that
> should come directly from the Lithium team. The extra 5% would be anything
> that we explicitly want to add in addition to the Lithium platform.
cool, thanks for comment 26, i've relayed your comment to Lithium
Assignee | ||
Comment 28•8 years ago
|
||
Hi all:
I asked Lithium to enable CSP on production [1]
Cheers!
...Roland
[1]
Created By: Sumo Team (5/1/2017 10:35 AM)
Hello Kris:
Please enable CSP on production which currently is set to:
hwsfp35778.lithium.com
Cheers!
...Roland
Assignee | ||
Comment 29•8 years ago
|
||
hopefully once Lithium implements CSP on production which is currently hwsfp35778.lithium.com that this score will improve from F to something better.
Assignee | ||
Comment 30•8 years ago
|
||
Comment on attachment 8849445 [details]
mozilla.prod-csp-sanitized-report.csv
marking as obsolete, superseded by 14april2017 csv
Attachment #8849445 -
Attachment is obsolete: true
Assignee | ||
Updated•8 years ago
|
Summary: [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org → [li-00134461] [observatory] Please change the CSP header so that it passes the scan at: https://observatory.mozilla.org/analyze.html?host=support.mozilla.org
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•