Closed Bug 698034 Opened 13 years ago Closed 11 years ago

host htmlpad.org on Mozilla infra

Categories

(Infrastructure & Operations Graveyard :: WebOps: Other, task, P5)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Other
Platform:
All
Other
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mrz, Assigned: mrz)

References

Details

(Whiteboard: [triaged 20120824][waiting][appsec][site-owner]) 

This app is so useful.  We should pull it in house an treat it like a prod app.

On Thu Oct 27 22:54:35 2011, matthew zeier wrote:
What's it take to get this hosted on mozilla infra?

It should be pretty easy, actually--it's a very simple django project:

https://github.com/toolness/htmlpad

Who typically deals with deploying stuff like this?

- Atul
Component: Server Operations → Server Operations: Web Operations
This allows users to inject full HTML and javascript. We'll probably have to, at least, buy a domain for this, but security should look at it too.
Component: Server Operations: Web Operations → Server Operations: Security
QA Contact: cshields → mcoates
(In reply to Jeremy Orem [:oremj] from comment #1)
> This allows users to inject full HTML and javascript. We'll probably have
> to, at least, buy a domain for this, but security should look at it too.

Yes, if this allows user controlled html or javascript then it will have to have its own domain.  Please file a security review request for this app and we'll take a look:

https://wiki.mozilla.org/WebAppSec/Security_Review_Request
Whiteboard: [2012q1]
Component: Server Operations: Security → Security Assurance: Operations
Component: Security Assurance: Operations → Server Operations
QA Contact: mcoates → phong
Nothing for OpSec to do here. Moving back to server operations.
Assignee: server-ops → bburton
Assignee: bburton → server-ops
Component: Server Operations → Server Operations: Web Operations
QA Contact: phong → cshields
Whiteboard: [2012q1] → [2012q2]
Depends on: 762113
Whiteboard: [2012q2] → [2012q2] [pending secreview]
Blocks: 696659
Assignee: server-ops → server-ops-webops
Whiteboard: [2012q2] [pending secreview] → [pending secreview]
This bug might as well be the sec review bug... all the information I have is already here, and there's no WebOps work until we have some commentary from AppSec. The github repo is in comment 0.

Note that http://htmlpad.org/ currently doesn't actually work. I believe it's been broken ever since our Etherpad installation began forcing SSL with a redirect. This is probably a simple fix in the htmlpad code.

This particular domain is already owned by a Mozilla employee (Atul Varma)... with his good graces we could conceivably transfer that domain to our ownership and move it under our standard registration/DNS/hosting infrastructure. I don't know if there are any security concerns beyond needing to be hosted on a separate domain.
Flags: sec-review?
Whiteboard: [pending secreview]
Group: infra
Whiteboard: [waiting][appsec][site-owner]
Severity: minor → normal
Priority: -- → P5
Whiteboard: [waiting][appsec][site-owner] → [triaged 20120824][waiting][appsec][site-owner]
Assignee: server-ops-webops → mrz
Depends on: 785432
QA Contact: cshields → mrz
Flags: sec-review? → sec-review?(mfuller)
No longer depends on: 785432
This app doesn't work, and absolutely nothing has happened lately to fix it. And it's likely to break again when we moved to Etherpad Lite.

I recommend folks switch to https://thimble.webmaker.org/en-US/editor, which is tailor-made to do more or less precisely what htmlpad does/did.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Flags: sec-review?(matthewdf10)
Component: Server Operations: Web Operations → WebOps: Other
Product: mozilla.org → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.