Ensure appropriate resource requests for endpoints (layout, feed, spoc)
Categories
(Firefox :: New Tab Page, enhancement, P1)
Tracking
()
People
(Reporter: Mardak, Assigned: Mardak)
References
Details
(Keywords: github-merged)
Attachments
(1 file)
In bug 1513311 for "remote css" we restricted urls to resource chrome https://img-getpocket.cdn.mozilla.net
There's a number of requests including layout endpoint, spoc endpoint, feed endpoint, article images, article links.
If any of those are not local, they probably should restrict which domains, requires https, no cookies, etc.
Not sure how we want to deal with testing/development ergonomics at least for the layout endpoint… perhaps nightly/dev builds are allowed a larger list of domains?
Comment 1•6 years ago
•
|
||
I'm fairly sure that in production all spoc and recommendation feeds will come from https://getpocket.cdn.mozilla.net and all images come from https://img-getpocket.cdn.mozilla.net. During development we also use https://*.dev.readitlater.com or https://getpocket.com.
Are you able to whitelist *.mozilla.net, *.readitlater.com, and getpocket.com? All of these work on HTTPS, so it's fine to require that.
Comment 2•6 years ago
|
||
Checked with Nick, and the above list is good for this release.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 4•6 years ago
|
||
[Tracking Requested - why for this release]: part of Pocket + newtab mvp
Assignee | ||
Comment 5•6 years ago
|
||
k88hudson, I believe we can wontfix this for 66 if bug 1524669 (already tracking66+) will cover both article images and links? The remaining item here would be feed requests, and I believe the meeting last week we decided that it wouldn't be necessary for 66 experiments to ensure those are of the allowed domains.
Also, it was confirmed that the approach of having a whitelist in a pref is acceptable and that for development/manual testing, that person should change the pref to include the desired additional dev domain, etc. For automation, we probably want to allow data uris too.
Comment 6•6 years ago
|
||
This seems reasonable. Just to clarify, you also mean that we should also whitelist image URLs via a separate whitelist pref?
Updated•6 years ago
|
Assignee | ||
Comment 7•6 years ago
|
||
Confirmed that restricting image URLs more than protocol (already covered by CSP) to some domains is not necessary and is potentially undesired if we need to change image endpoints. So the main concern is just whitelisting the layout and article/spoc feed requests.
Updated•6 years ago
|
Comment 8•6 years ago
|
||
Assignee | ||
Comment 9•6 years ago
•
|
||
QA steps:
-
try to change
.config
layout endpoint to https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=dev-test-all (note getpocket.com instead of cdn) -
open new tab and verify it didn't change layout
-
change
browser.newtabpage.activity-stream.discoverystream.endpoints
to "https://getpocket.com/" -
change layout endpoint to https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
-
open new tab and verify it changed to that layout but has no articles (error console should show something like
Failed to fetch https://getpocket.cdn.mozilla.net/v3/… Not one of allowed prefixes (https://getpocket.com/)
-
change
.endpoints
to "https://getpocket.com/,https://getpocket.cdn.mozilla.net/" -
change layout endpoint to https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=66-beta-2-complex
-
open new tab and verify it changed to that layout with articles
Comment 10•6 years ago
|
||
Brahmini, you're up! QA instructions in #c9 above
Comment 11•6 years ago
•
|
||
This bug hasn't made it to nightly yet, it should make it in by tomorrow (i.e. is not ready for testing yet)
Comment 12•6 years ago
|
||
Thanks for the update. Can you NI me when it's ready.
Comment 13•6 years ago
|
||
Updated•6 years ago
|
Comment 14•6 years ago
•
|
||
QA Results: Pass
Tested on :
FF Nightly version : 68.0a1 (2019-03-18)
OS : Mac and Windows 10 Pro
Works as expected on latest Nightly.
Marking as verified.
Updated•6 years ago
|
Updated•5 years ago
|
Description
•