Closed Bug 1544734 Opened 5 years ago Closed 5 years ago

[BinAST] Whitelist cdnjs on Nightly

Categories

(Core :: JavaScript Engine, task, P2)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox69 --- fixed

People

(Reporter: Yoric, Assigned: Yoric)

Details

Attachments

(1 file)

Bug 1544734 - Extend the list of BinAST test domains to CloudFlare;r?arai
47 bytes, text/x-phabricator-request
Details | Review

Cloudflare would like to run BinAST tests from cdnjs.

This would require extending our whitelist to add cdnjs (or maybe a subset thereof?) The first order is to determine whether there is any security reason not to do this.

From a fuzzing perspective, BinAST is well covered by now (about 90% code coverage), we found a few bugs in the past and those have been fixed quickly. I don't think it is particularly risky to expose this further.

Who else would we need to talk to?

Flags: needinfo?(choller)
Flags: needinfo?(arai.unmht)

Forwarding this to :dveditz.

Dan, who else would have to sign off on this change, from a security perspective?

Flags: needinfo?(choller) → needinfo?(dveditz)

To clarify: it's a prefed-off, Nightly only feature for the moment.

How did the current whitelist get set/approved? Maybe go that route (I don't think security was involved). The current whitelist is amusingly at odds with some recent marketing messages.

Flags: needinfo?(dveditz)

the current list of hosts is from bug 1519302.
the bug is about restricting the hosts (previously, it was available on all hosts. the bug reduced the allowed hosts only to 2),
and there was no specific approval for the list.

Flags: needinfo?(arai.unmht)

(In reply to Daniel Veditz [:dveditz] from comment #5)

How did the current whitelist get set/approved? Maybe go that route (I don't think security was involved). The current whitelist is amusingly at odds with some recent marketing messages.

Sorry, Daniel — which marketing messages in particular?

Depending on the message, maybe we should tell someone in marketing that this whitelist exists.

This is a partner effort, and it's just a Nightly-only, preffed-off-by-default experiment at this stage. I'm sure it's OK. But we don't want anyone to be surprised.

Flags: needinfo?(dveditz)

(In reply to Jason Orendorff [:jorendorff] from comment #7)

The current whitelist is amusingly at odds with some recent marketing messages.

Sorry, Daniel — which marketing messages in particular?

The only domains in the pref currently are Facebook, while we've been pushing messaging castigating Facebook (e.g. Facebook Container add-on). It's not really at odds -- we cooperate with Facebook on all kinds of things -- but it struck me as funny that they were the only ones in there, not simply one-of-several tech biggies.

This is a partner effort, and it's just a Nightly-only, preffed-off-by-default experiment at this stage. I'm sure it's OK. But we don't want anyone to be surprised.

It doesn't bother me (given comment 1). It will be better when we're confident enough in the feature that we don't have a domain whitelist at all. Meanwhile Nightly is for testing: have at it.

Flags: needinfo?(dveditz)

Thanks, Daniel. We're on the same page.

Priority: -- → P2

(In reply to David Teller [:Yoric] (please use "needinfo") from comment #0)

Cloudflare would like to run BinAST tests from cdnjs.

This would require extending our whitelist to add cdnjs (or maybe a subset thereof?) The first order is to determine whether there is any security reason not to do this.

Okay, so for further testing we'd like to add and got approvals for the following domain sets:

  • *.cloudflare.com (this will include our own Cloudflare domains as well as CDN JS we partner with)
  • *.cloudflarestream.com (this is mostly for the large video embed JS that is used on various sites and could benefit from BAST testing)
  • unpkg.com (we'll use it somewhat later down the line after testing on domains listed above, but would like to add to the list as early as possible to make it easier to enable the feature on our side when we get there)
Pushed by dteller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5d05a5c52c5e
Extend the list of BinAST test domains to CloudFlare;r=arai

https://hg.mozilla.org/mozilla-central/rev/5d05a5c52c5e

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Assignee: nobody → dteller
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: