Closed
Bug 615716
Opened 14 years ago
Closed 13 years ago
[CSP] Add getsatisfaction's sources to the whitelist
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P5)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
RESOLVED
FIXED
Q2 2011
People
(Reporter: clouserw, Assigned: clouserw)
References
Details
It looks like getsatisfaction is using amazonaws for it's images/scripts. We need to add that to the whitelist.
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → clouserw
Priority: -- → P5
Assignee | ||
Comment 1•14 years ago
|
||
We offer integration with getsatisfaction to our add-on developers, but it looks like loading their widget on our page now pulls css/js/images from (all over SSL): www.google.com (recaptcha, already whitelisted :-/) getsatisfaction.com s3.amazonaws.com The first two make some sense, but the last one is a public-ish resource and I'm not too excited to whitelist it. The attack vector is small (they have to get the tag on the page somehow), and CSP is just adding an additional of restriction to what people can do now, but I'm looking for an a=mcoates before I do this anyway.
Assignee | ||
Updated•13 years ago
|
Target Milestone: 5.12.7 → 4.x (triaged)
Assignee | ||
Updated•13 years ago
|
Target Milestone: 4.x (triaged) → 6.0.5
Assignee | ||
Updated•13 years ago
|
Target Milestone: 6.0.5 → Q2 2011
Assignee | ||
Comment 2•13 years ago
|
||
Alright, https://github.com/jbalogh/zamboni/commit/9f685dfbd3a55d0ec468ef55fafea6a84926f0ed adds these to the whitelist. I'm not happy to add s3 to the whitelist, but it's not worse than what we have now and this bug has been open forever.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•