Authenticated Pages Should Only be HTTPS

VERIFIED FIXED in 0.9.3

Status

developer.mozilla.org
Demo Studio / Dev Derby
--
major
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

unspecified
0.9.3

Details

(Whiteboard: [infrasec:tls][ws:high], URL)

Issue

The site allows pages to be served over HTTP or HTTPS including the login page, account creation, and pages viewed after the user is authenticated.  These pages can disclose sensitve data including the username, password and session id

Recommended Remediation

- The login page and account creation page should only be accessible over HTTPS.  
- Authenticated pages that are not publicly accessible should only be accessible over HTTPS.
- Pages that are public, but can also by accessed by an authenticated account, can be accessed over HTTP provided that the session ID is set as HTTPOnly. This configuration will essentially allow the user to browse the public pages as an unauthenticated user.

Comment 1

7 years ago
(In reply to comment #0)

This is just due to how the staging server is configured... we already serve the login, registration and authenticated pages over HTTPS on production.  You can verify the Deki stuff on https://developer.mozilla.org

IT probably had their reasons for not implementing the staging server the same as production, so not sure if there is anything to fix in this bug.

Cc'ing Oremj to see why stage9 does not behave like production.
Is https://developer.mozilla.org the intended location of this app?  Are we still on track to host all uploaded content on another non-mozilla.org domain?

Comment 3

7 years ago
(In reply to comment #2)
> Is https://developer.mozilla.org the intended location of this app? 
Yup... it will live at developer.mozilla.org/demos

> Are we still on track to host all uploaded content on another non-mozilla.org domain?

Les or Austin can probably give a definitive answer, but from what I understand, the Demo Studio uploads will live on developer.mozilla.org.  But I could be wrong, since there was talk about using the demos.mozilla.org or mozillademos.org domains for something.

Comment 4

7 years ago
I've discussed with Les:

mozillademos.org/demos - WOW demos
mozillademos.org/somepath - DR demos

He mentioned that the Django app will write to a local directory... Hopefully IT can configure this to be an NFS or some kind of share so that the files automatically show up on a file server that mozillademos.org's Apache can serve up.

I've not filed the IT bugs, etc to make that happen, I'll defer to Les on the actual design he went with...
I'm assuming an NFS mount on the app servers is the easiest way, since that's how IT had me do it in the past. 

The Django app has settings to point it at a filesystem path (eg. an NFS mount) and a base URL for where those files are served (eg. mozillademos.org/somepath)

We have bug 632138 to track deployment of MDN 0.9.3, which includes the Demo Studio.
Where is this bug? Not sure what the next steps are.
Target Milestone: --- → 0.9.3
I'm thinking this boils down to config difference between staging and production. Can we close this?
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Yes, we can close this. We'll take a look at prod when its available to double check the issue.
Status: RESOLVED → VERIFIED
Group: websites-security
(Assignee)

Updated

6 years ago
Component: Demos → Demo Studio / Dev Derby
Product: Mozilla Developer Network → Mozilla Developer Network
You need to log in before you can comment on or make changes to this bug.