Closed
Bug 300657
Opened 20 years ago
Closed 20 years ago
Use separate domain for examples
Categories
(mozilla.org Graveyard :: Server Operations, task)
mozilla.org Graveyard
Server Operations
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: benjamin, Assigned: alex)
Details
Example files on devmo should not be loaded from the main devmo domain, because
any scripts in the examples can easily steal cookies and do other kinds of
scripting badness.
Part 1) is to apply my mediawiki patch at
http://bugzilla.wikimedia.org/show_bug.cgi?id=2845
Part 2) involves separating the examples onto a different domain
My basic thought process about this is as follows: have a separate domain
developer-examples.mozilla.org which is a CNAME to developer.mozilla.org
In the root htaccess or apache config, there should be a rewrite rule:
RewriteCond %{HTTP_HOST} =developer.mozilla.org
RewriteRule type=raw http://developer-examples.mozilla.org%{REQUEST_URI} [R]
RewriteCond %{HTTP_HOST} =developer-examples.mozilla.org
RewriteRule !type=raw http://developer.mozilla.org%{REQUEST_URI} [R]
Part 3) sets configuration variables so that the raw mimetypes are useful:
$wgRawMimetypeDefault = 'text/plain';
array_push($wgRawMimetypeWhitelist, 'text/html',
'text/xml',
'application/vnd.mozilla.xul+xml',
'text/javascript',
'image/svg+xml',
'application/xhtml+xml',
'application/x-javascript',
'text/ecmascript',
'application/xslt+xml');
|
Assignee | |
Comment 1•20 years ago
|
||
In the bug (http://bugzilla.wikimedia.org/show_bug.cgi?id=2845) the mediawiki
developer says this is not a security bug. If it is not a security issue, then
it just deviates our mediawiki installs farther from upstream -- which makes
upgrading a headache.
Is this still a priority?
|
Reporter | |
Comment 2•20 years ago
|
||
This bug is about allowing examples (which may contain script), so it is
necessary to serve these examples from a separate domain. So yes, I think this
is still a priority... and I believe that the mediawiki patch will be accepted
upstream something in the future.
|
|
Reporter | |
Comment 3•20 years ago
|
||
Please add 'text/css' to the whitelist also.
|
||
Comment 4•20 years ago
|
||
Please note that the javascript rules apply to a top-level domain only unless
that's recently changed. We either need to use the IP address or a completely
separate top-level (like mozillafoundation.org or mozilla.net or something).
|
|
Reporter | |
Comment 5•20 years ago
|
||
Dave, what javscript rules are you referring to? Are there important cookies set
on the "mozilla.org" domain (not on subdomains) that we need to protect?
I certainly don't mind a separate domain like "developer-examples.mozilla.net"
or something, it just sounds like more work (maybe not).
|
|
Assignee | |
Comment 6•20 years ago
|
||
Closing for the same reason as bug 291174
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
|
||
Updated•11 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•