Closed Bug 300657 Opened 19 years ago Closed 19 years ago

Use separate domain for examples

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: benjamin, Assigned: alex)

Details

Example files on devmo should not be loaded from the main devmo domain, because
any scripts in the examples can easily steal cookies and do other kinds of
scripting badness.

Part 1) is to apply my mediawiki patch at
http://bugzilla.wikimedia.org/show_bug.cgi?id=2845

Part 2) involves separating the examples onto a different domain

My basic thought process about this is as follows: have a separate domain
developer-examples.mozilla.org which is a CNAME to developer.mozilla.org

In the root htaccess or apache config, there should be a rewrite rule:

RewriteCond %{HTTP_HOST}  =developer.mozilla.org
RewriteRule type=raw http://developer-examples.mozilla.org%{REQUEST_URI} [R]

RewriteCond %{HTTP_HOST} =developer-examples.mozilla.org
RewriteRule !type=raw http://developer.mozilla.org%{REQUEST_URI} [R]

Part 3) sets configuration variables so that the raw mimetypes are useful:

$wgRawMimetypeDefault = 'text/plain';
array_push($wgRawMimetypeWhitelist, 'text/html',
                                    'text/xml',
                                    'application/vnd.mozilla.xul+xml',
                                    'text/javascript',
                                    'image/svg+xml',
                                    'application/xhtml+xml',
                                    'application/x-javascript',
                                    'text/ecmascript',
                                    'application/xslt+xml');
In the bug (http://bugzilla.wikimedia.org/show_bug.cgi?id=2845) the mediawiki
developer says this is not a security bug. If it is not a security issue, then
it just deviates our mediawiki installs farther from upstream -- which makes
upgrading a headache. 

Is this still a priority?
This bug is about allowing examples (which may contain script), so it is
necessary to serve these examples from a separate domain. So yes, I think this
is still a priority... and I believe that the mediawiki patch will be accepted
upstream something in the future.
Please add 'text/css' to the whitelist also.
Please note that the javascript rules apply to a top-level domain only unless
that's recently changed.  We either need to use the IP address or a completely
separate top-level (like mozillafoundation.org or mozilla.net or something).
Dave, what javscript rules are you referring to? Are there important cookies set
on the "mozilla.org" domain (not on subdomains) that we need to protect?

I certainly don't mind a separate domain like "developer-examples.mozilla.net"
or something, it just sounds like more work (maybe not).
Closing for the same reason as bug 291174
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.