Can we please backport bug 938596 (the hook for modifying HTTP headers) to BMO? This is needed so that someone can write an extension to allow admins to specify extra HTTP headers, which can then be used to work on fixing bug 600692 (implement Content Security Policy for Bugzilla). Gerv
Created attachment 8341096 [details] [diff] [review] Patch v.1
Assignee: nobody → gerv
Status: NEW → ASSIGNED
Attachment #8341096 - Flags: review?(glob)
Comment on attachment 8341096 [details] [diff] [review] Patch v.1 as per bug 945282, i don't want CSP implemented as a hook + admin param. please fix bug 600692 upstream instead.
Attachment #8341096 - Flags: review?(glob) → review-
glob: what you've said here and there are not quite exactly the same. If I instead implement a CSP-specific extension which allows the specification of a CSP header, and perhaps with a checkbox for "Report-Only" mode, using the same HTTP header hook from this bug, is that acceptable to you? If not, why not? Your objection AIUI is that you don't want an admin to be able to specify arbitrary headers, and this plan avoids that. Gerv
sorry i wasn't clear enough in my reviews. as the goal is to return CSP headers, the correct way to do that is to fix the CSP bug. i don't think it makes sense to implement this via an extension, regardless of implementation. it will be trivial and faster to implement without hooks, and would benefit all bugzilla installations instead of just bmo.
We can't just "make Bugzilla support CSP", because that's Hard - Bugzilla will need a lot of internal rearranging of scripts and so on. And it could be that, either temporarily or permanently, different pages on Bugzilla require different CSP headers. Having a hook allows us to shift all that policy into an extension, and play with it there. The first step is the simple extension I've written. A second step would be an extension which implemented a more complex policy, based on experience. The third step would be integrating it into Bugzilla itself when we were sure the policy is correct. If this plan doesn't appeal, can you describe exactly what you mean when you say "fix the CSP bug"? Gerv
(In reply to Gervase Markham [:gerv] from comment #5) > If this plan doesn't appeal, can you describe exactly what you mean when you > say "fix the CSP bug"? basically whatever you are planning to do on bmo's system should instead happen upstream.
(In reply to Byron Jones ‹:glob› from comment #6) > basically whatever you are planning to do on bmo's system should instead > happen upstream. We need to figure out what the right policy is, and the best way to do that is by writing a potential policy and using Report Only mode on a heavily-used Bugzilla instance. BMO is also significantly customized, and so may need a different policy from stock Bugzilla. For both these reasons, it makes sense to create the ability to deploy CSP on BMO via an extension (or multiple extensions - start with a simple one, and then move on to another which may vary the policy across the application), and use that to gather data, and to develop the right policies and best protections. In Report-Only mode, the use of CSP will not cause any errors in the browsers of users. Gerv
(In reply to Gervase Markham [:gerv] from comment #7) > We need to figure out what the right policy is, and the best way to do that > is by writing a potential policy and using Report Only mode on a > heavily-used Bugzilla instance. i disagree; we don't need to touch our production instance to gather this data, nor is CSP configuration related to how heavily a bugzilla instance is used. > BMO is also significantly customized, and so may need a different policy from stock Bugzilla. whatever CSP policy developed for upstream bugzilla need to accommodate extensions, and would be equally applicable to bmo.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.