Closed Bug 881706 Opened 11 years ago Closed 11 years ago

SecReview: CSOL-site


( :: Security Assurance: Review Request, task)

Not set


(Not tracked)



(Reporter: freddy, Assigned: freddy)


(Blocks 1 open bug, )


(Whiteboard: [completed secreview][Web])

I just did the security review for bug 879991 and atul pointed me at csol-site, so I figured this could require a review as well.

Brian, would you mind addressing the questions from to speed up the security review?
As far as I understand this project is high profile and needs to be completed very soon.

cc'ing Andrew Hayward who did the bulk of the work on this project.
The most obvious & dangerous spots look rather OK, but I need a test environment to play with the handling of user input.

Andrew, can you provide answers to the typical review questions and point me at a the staging/dev sites you are using?
I already found out about and - but it looks like a csol-site is missing here.

Also, I would like to have access to admin things, api-keys and session-secrets for those sites.
My persona ID is and I'm happy to receive those secrets on IRC (my session "freddyb", should be registered and using SSL at all times.)
Review Q&A:

Who is/are the point of contact(s) for this review?

- Andrew Hayward <>
- Mike Larsson <>
- Chris McAvoy <>
- JP Schneider <> - DevOps / Infrastructure

Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

 - csol-site runs
 - Developed in partnership with the City of Chicago.
 - All terms of service and privacy policies are agreements between the users and the City of Chicago.
 - Mozilla is acting as a 3rd party host to the website. A memo of understanding of our role in the site is 'on file' with Mozilla Counsel.
 - The site allows users (both over and under 13) to find summer programs to participate in and earn badges from.

Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

 - - the code repository
 - - staging server

Does this request block another bug? If so, please indicate the bug number

 - No

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

 - As soon as possible - this is technically already live

To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?

 - Not that I'm aware of

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

 - No

Are there any portions of the project that interact with 3rd party services?

 - Yes - OpenBadger and Aestimia, though both are Mozilla properties (and both of which you're already aware of)

Will your application/service collect user data? If so, please describe

 - Yes - we are currently requiring most users to enter full names, and email addresses if they are aged 13 and above.
 - Additionally, we are also asking for a user's school, student ID, gender, ethnicity and ZIP code, though these are not required.
Whiteboard: [pending secreview] → [pending secreview][Web]
Sorry, forgot closing the bug.
Please take a look at the dependant bugs. The XSS issue is probably the most pressing.
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][Web] → [completed secreview][Web]
You need to log in before you can comment on or make changes to this bug.