Closed Bug 685287 Opened 13 years ago Closed 13 years ago

Create URL redirect for Foundation project Popcorn Maker

Categories

(mozilla.org Graveyard :: Server Operations, task)

Product:
mozilla.org Graveyard
Component:
Server Operations
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: ryan, Assigned: ashish)

References

Details

The Mozilla Foundation's Popcorn project is ready launch an alpha of the Popcorn Maker app. The app is located at http://butterapp.org/popcorn-maker/. We would like to set up a URL redirect from http://popcornmaker.mozilla.org to that address to allow us to promote the app.

The app will be featured at the Mozilla-sponsored Open Video Conference this weekend, so would very much appreciate if this could be set up by EOD Friday.

Thank you!
Severity: normal → critical
Assignee: server-ops → ashish
Ryan/Brett - Please change the URL of the webm video [1] from videos-origin.mozilla.org to videos.mozilla.org ASAP. videos-origin is a single server and is behind the CDN and should never be directly linked, especially on public facing websites. Doing that would be bypassing the CDN and possibly bringing the server to a crawl.
Hmm, I missed the URL to the video I was referring to but please do take a look through the webm links, thanks!
Guys,

this should not have been setup, as a general rule we do not setup anything in the .mozilla.org/.com TLD without it being hosted within our infrastructure.

We will probably need to remove this quickly, but I will ask mcoates if he would like to override this first.
To clarify: our intention is certainly to host within the Mozilla IT infrastructure at popcornmaker.mozilla.org - however, while this is being set up, we'd like this simple redirect so that we can announce our alpha at the Open Video Conference, a marquee event for our market (and an event that Mozilla is a primary sponsor of).

Hope that clarifies,
Brett
I understand, it still causes risk.  If it should be hosted within our infrastructure then we need to go that route, but it needs plenty of time and proper planning to make it happen (and this is too short of notice to make it happen before this weekend)
I took a look at the website. In terms of potential security risks, this site is pretty high. It looks like there is a fair amount of user submitted dynamic code that is later processed by the site. (I also found an xss in a few minutes of poking)

The current redirects work such that url parameters are carried to the final page. This would allow someone to create a mozilla.org url with a malicious payload that would carry through to http://butterapp.org/popcorn-maker/ and then fire the attack. In short, this would look like a vulnerability in Mozilla.org

This will require a security review for sure before joining the mozilla.org domain and the production infrastructure.


But, to address the issue at hand.

Would people agree that this is more of a labs project since the project is:
* Experimental
* Under rapid iteration
* Under constrained timelines

We can provide a mozillalabs.com domain name that could be used for this weekend that would redirect to http://butterapp.org/popcorn-maker/

After this weekend we can start the process of getting this application onto allizom.org for security testing and eventually to popcornmaker.mozilla.org
Based upon Mike's comments, I'm OK with disabling the redirect for now.  We can purchase and use a non-mozilla domain like popcornmaker.org for now as a temporary measure while we are in alpha, and simultaneously work to get the application on mozilla infrastructure and through the security and QA processes.  Brett - you good with that?
This is reverted..
If there's a chance you want the domain hosted at Mozilla eventually then you probably ought to have us get it for you.  We'll need ownership before we can host it, and you can't transfer a domain for 60 days after it's registered.  Domains handled by US registrars (.org/.com/.net/.info/etc) can be obtained and operating almost on a moment's notice.  popcornmaker.org is already taken, fwiw.  If you'd like us to do that and decide on a domain to get, try not to mention it on a public bug, because domain sharks sometimes watch our bugs and try to snag them first. :)
"After this weekend we can start the process of getting this application onto allizom.org for security testing and eventually to popcornmaker.mozilla.org".  Should we close this bug and start another one to start the process of getting the app ready to move to popcornmaker.mozilla.org or continue on this bug?  Thanks.
Opening a new bug would be the right way to go about. Closing this out.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Depends on: 688051
No longer depends on: 688051
Depends on: 688059
Blocks: 688059
No longer depends on: 688059
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.