Closed Bug 1445663 Opened 7 years ago Closed 7 years ago

Hosts listed in extensions.webextensions.restrictedDomains are not properly configured

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: jan, Unassigned)

References

Details

(Keywords: nightly-community, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6373])

extensions.webextensions.restrictedDomains has been recently introduced and led to a regression: bug 1445650 This is a check of all domains listed in extensions.webextensions.restrictedDomains: > accounts-static.cdn.mozilla.net https://observatory.mozilla.org/analyze/accounts-static.cdn.mozilla.net * missing: CSP, HSTS, http to https redirection, Referer-Policy, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection https://www.hardenize.com/report/accounts-static.cdn.mozilla.net/1521039512 * missing IPv6, CAA, (smtp: NULL MX) * PFS AEAD is not always preferred https://www.ssllabs.com/ssltest/analyze.html?d=accounts%2dstatic.cdn.mozilla.net&s=52.84.237.182&hideResults=on&latest * unusal/bad ECDH curve list (and missing X25519) * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > accounts.firefox.com https://observatory.mozilla.org/analyze/accounts.firefox.com * good https://www.hardenize.com/report/accounts.firefox.com/1521039884 * missing: IPv6, DNSSEC, CAA, (smtp: IPv6, DMARC, DANE) * PFS AEAD is not always preferred * DHE 1024 bit https://www.ssllabs.com/ssltest/analyze.html?d=accounts.firefox.com&s=34.218.160.67&hideResults=on&latest * missing X25519 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > addons.cdn.mozilla.net https://observatory.mozilla.org/analyze/addons.cdn.mozilla.net * missing: CSP, HSTS, http to https redirection, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection https://www.hardenize.com/report/addons.cdn.mozilla.net/1521040085 * missing: IPv6, CAA, (smtp: NULL MX) * PFS AEAD is not always preferred https://www.ssllabs.com/ssltest/analyze.html?d=addons.cdn.mozilla.net * unusal/bad ECDH curve list (and missing X25519) * missing http/2 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > addons.mozilla.org https://observatory.mozilla.org/analyze/addons.mozilla.org * good https://www.hardenize.com/report/addons.mozilla.org/1521040413 * missing IPv6, CAA, HSTS Preloading (smtp: IPv6, PFS AEAD, SPF, DMARC, DANE, correct PTR) * PFS AEAD is not always preferred * GOOGLE ANALYTICS. Mozilla is often criticized for that on german IT news forums, please remove it: You may use a self-hosted Piwik. https://www.ssllabs.com/ssltest/analyze.html?d=addons.mozilla.org&s=52.38.152.86&hideResults=on&latest * missing X25519, http/2 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > api.accounts.firefox.com https://observatory.mozilla.org/analyze/api.accounts.firefox.com * missing: CSP https://www.hardenize.com/report/api.accounts.firefox.com/1521040793 * missing: IPv6, DNSSEC, CAA, (smtp: NULL MX) * PFS AEAD is not always preferred * DHE 1024 bit https://www.ssllabs.com/ssltest/analyze.html?d=api.accounts.firefox.com&s=54.186.1.253&hideResults=on&latest * missing X25519, http/2 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > content.cdn.mozilla.net * does not exist > input.mozilla.org https://observatory.mozilla.org/analyze/input.mozilla.org * missing: CSP, secure cookies, HSTS, Referer-Policy, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection https://www.hardenize.com/report/input.mozilla.org/1521041068 * missing: IPv6, CAA, HSTS Preloading, (smtp: NULL MX) * non-PFS AES128-GCM/CBC-SHA2 are preferred over PFS SHA1 https://www.ssllabs.com/ssltest/analyze.html?d=input.mozilla.org * missing X25519 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > install.mozilla.org * does not exist > oauth.accounts.firefox.com https://observatory.mozilla.org/analyze/oauth.accounts.firefox.com * missing: CSP https://www.hardenize.com/report/oauth.accounts.firefox.com/1521041371 * missing: IPv6, DNSSEC, CAA, (smtp: NULL MX) * PFS AEAD is not always preferred * DHE 1024 bit https://www.ssllabs.com/ssltest/analyze.html?d=oauth.accounts.firefox.com&s=52.10.167.63&hideResults=on&latest * missing X25519, http/2 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > profile.accounts.firefox.com https://observatory.mozilla.org/analyze/profile.accounts.firefox.com * missing: CSP https://www.hardenize.com/report/profile.accounts.firefox.com/1521041517 * missing: IPv6, DNSSEC, CAA, (smtp: NULL MX) * PFS AEAD is not always preferred * DHE 1024 bit https://www.ssllabs.com/ssltest/analyze.html?d=profile.accounts.firefox.com&s=35.161.236.212&hideResults=on&latest * missing X25519, http/2 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > support.mozilla.org https://observatory.mozilla.org/analyze/support.mozilla.org * missing: CSP https://www.hardenize.com/report/support.mozilla.org/1521041741 * missing: IPv6, CAA, HSTS Preloading (smtp: NULL MX) * PFS AEAD is not preferred https://www.ssllabs.com/ssltest/analyze.html?d=support.mozilla.org&hideResults=on * missing X25519, http/2 * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2 > sync.services.mozilla.com * does not exist > testpilot.firefox.com https://observatory.mozilla.org/analyze/testpilot.firefox.com * good https://www.hardenize.com/report/testpilot.firefox.com/1521041980 * missing: IPv6, DNSSEC, CAA, (smtp: NULL MX), (strange: missing X-Frame-Options) * PFS AEAD is not always preferred * "Poorly constructed certificate chain" * GOOGLE ANALYTICS. Mozilla is often criticized for that on german IT news forums, please remove it: You may use a self-hosted Piwik. https://www.ssllabs.com/ssltest/analyze.html?d=testpilot.firefox.com&s=52.84.237.166&hideResults=on&latest * missing OCSP stapling * unusal/bad ECDH curve list (and missing X25519) * is TLS 1.0 really needed? https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=31.3.0%20ESR&platform=Win%207&key=84 supports TLS 1.2
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/6373]
April, thoughts? I'm not sure what all extensions.webextensions.restrictedDomains is used for.
Flags: needinfo?(april)
Today I found out that addons can't read and set things on some Mozilla websites anymore. Then I got the idea to check all those hostnames and filed this ticket. This report should be just an overview. It would be fine to close this as incomplete/duplicate. Questions based on https://www.mozilla.org/en-US/about/manifesto/#principle-08: Do you have a public to do list about these things? For example: * When will you click on the button at Akamai to enable DNSSEC on firefox.com as it is already done for mozilla.org? (At which position of your to do list is it currently placed? Would it be possible to configure P-256 like Cloudflare instead of RSA?) Do you just have the cheapest/wrong AWS package? (https://ipv6.watch/ Ctrl+F Mozilla, mozilla/tls-observatory#148, bug 1309201) Are you planning to make a checklist that bug 1442994 (and friends) won't happen again? Is there any publicly accessible provider comparison regarding your needs? (e.g. Google Cloud vs. AWS vs. Akamai vs. Cloudflare vs. Hetzner Cloud vs. own hardware) My comments sound more severe than intended. I'm just interested in what's going on.^^
I wouldn't say that it's "recent". As far as I know (and I could be wrong), these sites have been forbidden from running webExtensions as long as there have been webExtensions. These sites are given special privileges inside Firefox, and allowing add-ons to run on them could allow malicious addons to do things like install new extensions, reset profiles, etc. I believe Chrome does the same thing for their webExtensions, for example I don't think they can run inside the Chrome extension web store. If you want extensions to run, you can either: - Remove them from the restricted list - Access them via an extra dot after the domain, such as https://addons.mozilla.org./
Flags: needinfo?(april)
Closing this bug because it covers multiple unrelated sites and issues. Mozilla is always working to improve our website configurations over time to add support for IPv6, X25519, etc. and deprecate features like TLS 1.0. If you'd like to participate in our bug bounty program for website security issues, please see here for additional information: https://www.mozilla.org/en-US/security/web-bug-bounty/ Thanks, and we appreciate your help!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.