[BinAST] Whitelist cdnjs on Nightly
Categories
(Core :: JavaScript Engine, task, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: Yoric, Assigned: Yoric)
Details
Attachments
(1 file)
Cloudflare would like to run BinAST tests from cdnjs.
This would require extending our whitelist to add cdnjs (or maybe a subset thereof?) The first order is to determine whether there is any security reason not to do this.
Comment 1•6 years ago
|
||
From a fuzzing perspective, BinAST is well covered by now (about 90% code coverage), we found a few bugs in the past and those have been fixed quickly. I don't think it is particularly risky to expose this further.
Assignee | ||
Comment 2•6 years ago
|
||
Who else would we need to talk to?
Comment 3•6 years ago
|
||
Forwarding this to :dveditz.
Dan, who else would have to sign off on this change, from a security perspective?
Assignee | ||
Comment 4•6 years ago
|
||
To clarify: it's a prefed-off, Nightly only feature for the moment.
Comment 5•6 years ago
|
||
How did the current whitelist get set/approved? Maybe go that route (I don't think security was involved). The current whitelist is amusingly at odds with some recent marketing messages.
Comment 6•6 years ago
|
||
the current list of hosts is from bug 1519302.
the bug is about restricting the hosts (previously, it was available on all hosts. the bug reduced the allowed hosts only to 2),
and there was no specific approval for the list.
Comment 7•6 years ago
•
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5)
How did the current whitelist get set/approved? Maybe go that route (I don't think security was involved). The current whitelist is amusingly at odds with some recent marketing messages.
Sorry, Daniel — which marketing messages in particular?
Depending on the message, maybe we should tell someone in marketing that this whitelist exists.
This is a partner effort, and it's just a Nightly-only, preffed-off-by-default experiment at this stage. I'm sure it's OK. But we don't want anyone to be surprised.
Comment 8•6 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #7)
The current whitelist is amusingly at odds with some recent marketing messages.
Sorry, Daniel — which marketing messages in particular?
The only domains in the pref currently are Facebook, while we've been pushing messaging castigating Facebook (e.g. Facebook Container add-on). It's not really at odds -- we cooperate with Facebook on all kinds of things -- but it struck me as funny that they were the only ones in there, not simply one-of-several tech biggies.
This is a partner effort, and it's just a Nightly-only, preffed-off-by-default experiment at this stage. I'm sure it's OK. But we don't want anyone to be surprised.
It doesn't bother me (given comment 1). It will be better when we're confident enough in the feature that we don't have a domain whitelist at all. Meanwhile Nightly is for testing: have at it.
Comment 9•6 years ago
|
||
Thanks, Daniel. We're on the same page.
Updated•6 years ago
|
Comment 10•6 years ago
|
||
(In reply to David Teller [:Yoric] (please use "needinfo") from comment #0)
Cloudflare would like to run BinAST tests from cdnjs.
This would require extending our whitelist to add cdnjs (or maybe a subset thereof?) The first order is to determine whether there is any security reason not to do this.
Okay, so for further testing we'd like to add and got approvals for the following domain sets:
*.cloudflare.com
(this will include our own Cloudflare domains as well as CDN JS we partner with)*.cloudflarestream.com
(this is mostly for the large video embed JS that is used on various sites and could benefit from BAST testing)unpkg.com
(we'll use it somewhat later down the line after testing on domains listed above, but would like to add to the list as early as possible to make it easier to enable the feature on our side when we get there)
Assignee | ||
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
bugherder |
Comment 14•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Description
•