Closed
Bug 672001
Opened 15 years ago
Closed 10 years ago
Implement Content Security Policy (CSP) for browserid / Persona
Categories
(Cloud Services :: Server: Identity, defect)
Cloud Services
Server: Identity
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Keywords: sec-moderate, wsec-xss, Whiteboard: [infrasec:bestpractice][ws:moderate])
Issue
The browserid.org website is not leveraging the additional security benefits provided by Content Security Policy (CSP). The first step in implementing CSP is to fully externalize all JavaScript. This requires moving any inline javascript to an external javascript file that is referenced via src=. In addition some javascript calls such as "eval" or not allowed.
CSP can then be implemented via a response header with a defined CSP policy. This can be enabled in "report-only" mode initially to debug any potential violations.
It is easier to add CSP to a site early in the development process to minimize the amount of javascript that may need to be externalized.
Recommended Remediation
Externalize current javascript and enable content security policy.
Additional information
https://developer.mozilla.org/en/introducing_content_security_policy
Updated•14 years ago
|
Assignee: nobody → benadida
Status: NEW → ASSIGNED
Updated•14 years ago
|
Assignee: benadida → stomlinson
Updated•14 years ago
|
Keywords: sec-moderate
Comment 1•13 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Updated•12 years ago
|
Assignee: stomlinson → nobody
Status: ASSIGNED → NEW
Comment 2•12 years ago
|
||
How can we move forward with this? There are no blocker's listed. If it's just waiting for a good policy being built, I can find somebody to help you with this.
Comment 3•12 years ago
|
||
Also, any objections to opening this bug? It's pretty easy to see that we're not sending out the header on persona/browserid.org :)
Comment 4•12 years ago
|
||
Adding volunteers working on CSP adoption to this bug
Comment 5•12 years ago
|
||
Moving to the right product...
Group: webtools-security
Component: Identity → Server: Identity
Product: Mozilla Labs → Mozilla Services
Comment 6•12 years ago
|
||
This is also on the main bug tracker for Persona: https://github.com/mozilla/browserid/issues/3271
Updated•10 years ago
|
Summary: Enable Content Security Policy to Minimize XSS Risk → Implement Content Security Policy (CSP) for browserid / Persona
Comment 7•10 years ago
|
||
I think we should WONTFIX this given our announced plans and timeline for decommissioning persona.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•