Closed
Bug 913199
Opened 12 years ago
Closed 12 years ago
Use HTTPS for FxAccounts server URL
Categories
(Firefox :: Sync, defect)
Firefox
Sync
Tracking
()
VERIFIED
FIXED
People
(Reporter: zaach, Assigned: zaach)
References
()
Details
(Whiteboard: [qa+])
Attachments
(1 file, 2 obsolete files)
|
7.53 KB,
patch
|
rnewman
:
review+
|
Details | Diff | Splinter Review |
Now that certs are deployed on the Firefox Accounts jelly server we can switch to using HTTPS.
Attachment #800374 -
Flags: review?(gavin.sharp)
|
||
Updated•12 years ago
|
Whiteboard: [qa+]
|
||
Comment 1•12 years ago
|
||
Comment on attachment 800374 [details] [diff] [review]
use_https.patch
Review of attachment 800374 [details] [diff] [review]:
-----------------------------------------------------------------
Trivial r+ for the code change, but a bigger question arises: do you ever want to speak non-HTTPS for FxA? If so, you need to validate the URL accordingly. Please make and document that decision, and if you decide you do want to restrict the protocol, update the patch and request re-review.
There might be additional sec concerns around hijacking this pref, so I encourage you to raise that during sec review or sooner.
Attachment #800374 -
Flags: review?(gavin.sharp) → review+
|
Assignee | |
Comment 2•12 years ago
|
||
For our deploy(In reply to Richard Newman [:rnewman] from comment #1)
> Comment on attachment 800374 [details] [diff] [review]
> use_https.patch
>
> Review of attachment 800374 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Trivial r+ for the code change, but a bigger question arises: do you ever
> want to speak non-HTTPS for FxA? If so, you need to validate the URL
> accordingly. Please make and document that decision, and if you decide you
> do want to restrict the protocol, update the patch and request re-review.
>
> There might be additional sec concerns around hijacking this pref, so I
> encourage you to raise that during sec review or sooner.
For our deployments? We'd only speak to it using HTTPS. Someone testing a local instance might use non-HTTPS. If someone were to run their own FxA+Sync servers (if that will be an option), maybe non-HTTPS.
|
|
Assignee | |
Comment 3•12 years ago
|
||
We're requiring HTTPS now. I've added a comment to the pref and a check.
Attachment #800374 -
Attachment is obsolete: true
Attachment #810217 -
Flags: review?(rnewman)
|
|
||
Comment 4•12 years ago
|
||
Comment on attachment 810217 [details] [diff] [review]
use_https-2.patch
Review of attachment 810217 [details] [diff] [review]:
-----------------------------------------------------------------
::: browser/base/content/aboutaccounts/aboutaccounts.js
@@ +51,5 @@
>
> _getAccountsURI: function () {
> + let url = Services.urlFormatter.formatURLPref("firefox.accounts.remoteUrl");
> + if (!/^https:/.test(url)) {
> + throw new Error("Firefox Accounts server must use HTTPS");
You call this method in two places:
* Initing the wrapper
* When injecting data.
Neither of these places are expecting it to throw -- for example, if this throws the load of aboutaccounts.js will fail! -- so I tentatively assert that this patch isn't complete.
And ideally you'll have a test for the behavior when there's an invalid value in the pref... living documentation.
Attachment #810217 -
Flags: review?(rnewman) → review-
|
|
||
Updated•12 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
Assignee | |
Comment 5•12 years ago
|
||
Thanks rnewman. This patch refactors things a bit to favor testability.
(do_check_throws should really be defined by the test runner!)
Attachment #810217 -
Attachment is obsolete: true
Attachment #810805 -
Flags: review?(rnewman)
|
|
||
Comment 6•12 years ago
|
||
Comment on attachment 810805 [details] [diff] [review]
use_https-3.patch
Review of attachment 810805 [details] [diff] [review]:
-----------------------------------------------------------------
r+ with nits.
I'll file a bug to lift do_check_throws to head.js.
::: browser/base/content/aboutaccounts/aboutaccounts.js
@@ +13,5 @@
> //dump("FXA: " + msg + "\n");
> };
>
> +function error(msg) {
> + dump("FXA Error: " + msg + "\n");
"Firefox Account" where it might appear in logs that mere mortals see?
And let's use console.log(), so at least this error is visible to users who aren't running Firefox from a command line.
@@ +27,5 @@
> +
> + try {
> + iframe.src = fxAccounts.getAccountsURI();
> + } catch (e) {
> + error(e.message);
error("Couldn't init Firefox Account wrapper: " + e.message);
@@ +80,5 @@
> },
>
> injectData: function (type, content) {
> + try {
> + let authUrl = fxAccounts.getAccountsURI();
More minimal change:
let authUrl;
try {
authUrl = fxAccounts.getAccountsURI();
} catch (e) {
error("Couldn't inject data: " + e.message);
return;
}
...
Attachment #810805 -
Flags: review?(rnewman) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•12 years ago
|
||
OK great. When this appears in ELM, give me a ping.
QA will want to test this.
|
|
||
Comment 9•12 years ago
|
||
Also, I am going to assume this is desktop only...
|
|
||
Comment 10•12 years ago
|
||
This is on my list now for testing.
See also: https://github.com/mozilla/firefox-account-bridge/issues/48
|
||
Updated•12 years ago
|
|
||
Comment 11•12 years ago
|
||
|
|
||
Comment 12•12 years ago
|
||
Cleaning up Resolved/Fixed bugs from December's first release.
Verified that we now have a working first-release of FxA to Desktop/Android Nightly.
Re-open as needed.
Status: RESOLVED → VERIFIED
|
||
Updated•7 years ago
|
Component: Firefox Sync: Backend → Sync
Product: Cloud Services → Firefox
You need to log in
before you can comment on or make changes to this bug.
Description
•