Closed Bug 672001 Opened 15 years ago Closed 10 years ago

Implement Content Security Policy (CSP) for browserid / Persona

Categories

(Cloud Services :: Server: Identity, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: mcoates, Unassigned)

References

()

Details

(Keywords: sec-moderate, wsec-xss, Whiteboard: [infrasec:bestpractice][ws:moderate])

Issue The browserid.org website is not leveraging the additional security benefits provided by Content Security Policy (CSP). The first step in implementing CSP is to fully externalize all JavaScript. This requires moving any inline javascript to an external javascript file that is referenced via src=. In addition some javascript calls such as "eval" or not allowed. CSP can then be implemented via a response header with a defined CSP policy. This can be enabled in "report-only" mode initially to debug any potential violations. It is easier to add CSP to a site early in the development process to minimize the amount of javascript that may need to be externalized. Recommended Remediation Externalize current javascript and enable content security policy. Additional information https://developer.mozilla.org/en/introducing_content_security_policy
Assignee: nobody → benadida
Status: NEW → ASSIGNED
Assignee: benadida → stomlinson
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Assignee: stomlinson → nobody
Status: ASSIGNED → NEW
How can we move forward with this? There are no blocker's listed. If it's just waiting for a good policy being built, I can find somebody to help you with this.
Also, any objections to opening this bug? It's pretty easy to see that we're not sending out the header on persona/browserid.org :)
Adding volunteers working on CSP adoption to this bug
Moving to the right product...
Group: webtools-security
Component: Identity → Server: Identity
Product: Mozilla Labs → Mozilla Services
This is also on the main bug tracker for Persona: https://github.com/mozilla/browserid/issues/3271
Summary: Enable Content Security Policy to Minimize XSS Risk → Implement Content Security Policy (CSP) for browserid / Persona
I think we should WONTFIX this given our announced plans and timeline for decommissioning persona.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.