Closed
Bug 1594053
Opened 6 years ago
Closed 6 years ago
Add Telemetry for Toplevel X-Content-Type-Options Nosniff Usage
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla72
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | fixed |
People
(Reporter: sstreich, Assigned: sstreich)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
2.22 KB,
text/plain
|
chutten|PTO
:
data-review+
|
Details |
We would like to explore if we can make our nosniff implementation more strict.
We're currently allowing to Sniff the Content of a Page, if the Page does not provide a content type, even though it manually set X-content-type-options: nosniff.
We would like to know how often this is the case compared to XTCO+Valid Content Type. Also it would be a great insight if the pages that were sniffed with this exception actually resulted in scriptable content-types (html/xml/pdf) or non-scriptable (text/json/etc).
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → sstreich
|
|
Assignee | |
Comment 1•6 years ago
|
||
Depends on D50816
|
||
Updated•6 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
|
Assignee | |
Comment 2•6 years ago
|
||
Attachment #9108779 -
Flags: data-review?(chutten)
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9108779 [details]
review.md
PRELIMINARY NOTES:
Your data collection review request is for all-channel collection but your Histogram definition doesn't include `releaseChannelCollection: opt-out` so it will only be collected in Nightly and Beta. I will assume you plan on adding that to the definition before shipping.
DATA COLLECTION REVIEW RESPONSE:
Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?
Yes. This collection is Telemetry so is documented in its definitions file [Histograms.json](https://hg.mozilla.org/mozilla-central/file/tip/toolkit/components/telemetry/Histograms.json) and the [Probe Dictionary](https://telemetry.mozilla.org/probe-dictionary/).
Is there a control mechanism that allows the user to turn the data collection on and off?
Yes. This collection is Telemetry so can be controlled through Firefox's Preferences.
If the request is for permanent data collection, is there someone who will monitor the data over time?
No. This collection will expire in Firefox 80.
Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?
Category 1, Technical.
Is the data collection request for default-on or default-off?
Default on for all channels.
Does the instrumentation include the addition of any new identifiers?
No.
Is the data collection covered by the existing Firefox privacy notice?
Yes.
Does there need to be a check-in in the future to determine whether to renew the data?
Yes. :sstreich is responsible for renewing or removing the collection before it expires in Firefox 80.
---
Result: datareview+
Attachment #9108779 -
Flags: data-review?(chutten) → data-review+
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c2ec766b798c
Add XTCO Telemetry r=ckerschb
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox72:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in
before you can comment on or make changes to this bug.
Description
•