1422590 - xss on the site qsurvey.mozilla.com

Status: RESOLVED FIXED

(Websites :: Other, defect)

Description

[Sergey]

how to reproduce:
1. navigate to url:
http://qsurvey.mozilla.com/s3/?__slug=www.surveygizmo.com/s3/4039568/123
2. will be show a popup alert with name of domain

Comment 1

[Caglar Ulucenk [:cag]]

Thanks Sergey. I can validate this bug.

Ally, this looks very similar to a bug reported a month ago, and was later fixed by SG (bug 1414696). Can you please have the SG team look into this instance as well? 

Ideally, we would like to see a root cause fix, rather than fixing individual vulnerability instances.

Comment 2

[Jonathan Claudius [:claudijd] (use NEEDINFO)]

Ally: further more, this appears to be systemic and fixes do not appear to be fixing the core issue, can the SurveyGizmo team please address that specific concern in your response?

Comment 3

[Ally]

Hi All - I have passed this information along and will update when I know more. 
Thank you!

Comment 4

[April King [:April]]

Ally – is there any way for Mozilla to add specific HTTP headers to our domain (qsurvey.mozilla.com)?

Comment 5

[Ally]

Hi April - Could you please explain why you need this and what you are trying to do please so I may pass this information along as well?
Thank you!

Comment 6

[April King [:April]]

We have had a *lot* of XSS bugs on qsurvey, at least a dozen or so by now. If we could set our own Content-Security-Policy (CSP) header on our domain, it would go a long way towards at least stopping the bad effects of all these XSS vulnerabilities in qsurvey.

Comment 7

[Ally]

A release fixing this bug went live today! I also heard that Jaime is working with you to get the header you want set up.