720928 - Perform Security Review for Firefox Flicks

Status: VERIFIED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Christie Koehler [:ckoehler]]

1. A quick intro to what this app does.

Firefox Flicks is a global contest in which Filmmakers compete to tell our story. Filmmaker will submit short videos, and viewers can "like" videos. At the end of the contest, a panel of celebrity judges will select the best films across 4 categories and 4 regions.

2. Where is the source code located?

https://github.com/mozilla/firefox-flicks

3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

Stage site will be: firefoxflicks.allizom.org

4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Product / Compotent: Websites / Firefox Flicks
CC: ckoehler@mozilla.com, cnovak@mozilla.com, jfong@mozilla.com, mkelly@mozilla.com

5. Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?

App will be using BrowserID for login and will collect name and email address. 

6. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

App will be using the following serivces:

* Vid.ly
* Twitter
* Facebook

7. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

Yes. Filmmakers will need to login using BrowserID to upload videos.

8. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

Not sure; more info to come.

8. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

9. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

We are aiming to have the site review for review by 2/14 for a 2/28 launch.

Comment 1

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

assigning to paul to review

Comment 2

[Christie Koehler [:ckoehler]]

Any update on when this is scheduled to take place? We're launching very soon.

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Christie, 

Review is mostly done, I just wanted to ask a few questions as to how videos actually end up on the site. I'll try and contact you now for that. I'll also post the bugs that I found. To summarize, these were:

* Upvotes look like that they can be automated, since the "already voted check" appears to be client-side. Not sure if this is a big deal, but seems to not useful have anti-automation if its only client side. (unless its just a usability feature)

* https is used across the whole site, but scripts are imported from third parties over http. There appears to be https alternatives for the scripts in question so it would be better to use these.

* HSTS isn't enabled

I'll post seperate bugs for each of these, any questions just ping (nb I am in Australia, so 5 hours behind PST)

Comment 4

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Can't catch you on IRC Christie so i will ask my question here: I couldn't get any videos uploading during testing. I have reviewed the code, and as far as I could tell it seemed ok, but I would feel more comfortable if I could test the site with at least one video available (so that I can testing searching, viewing and voting). Is this possible?

Comment 5

[Osmose [:osmose, :mkelly]]

Paul: https://firefoxflicks-dev.allizom.org should have a few videos up and video uploading should work now.

Comment 6

[Paul Theriault [:pauljt] (no longer reading bugmail)]

I tested the video functionality as well now thanks, no additional issues.