Closed
Bug 945263
Opened 11 years ago
Closed 11 years ago
Backport bug 938596 (HTTP headers hook) to BMO
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: gerv, Assigned: gerv)
References
Details
Attachments
(1 file)
4.98 KB,
patch
|
glob
:
review-
|
Details | Diff | Splinter Review |
Can we please backport bug 938596 (the hook for modifying HTTP headers) to BMO? This is needed so that someone can write an extension to allow admins to specify extra HTTP headers, which can then be used to work on fixing bug 600692 (implement Content Security Policy for Bugzilla).
Gerv
Assignee | ||
Comment 1•11 years ago
|
||
Comment on attachment 8341096 [details] [diff] [review]
Patch v.1
as per bug 945282, i don't want CSP implemented as a hook + admin param. please fix bug 600692 upstream instead.
Attachment #8341096 -
Flags: review?(glob) → review-
Assignee | ||
Comment 3•11 years ago
|
||
glob: what you've said here and there are not quite exactly the same.
If I instead implement a CSP-specific extension which allows the specification of a CSP header, and perhaps with a checkbox for "Report-Only" mode, using the same HTTP header hook from this bug, is that acceptable to you? If not, why not? Your objection AIUI is that you don't want an admin to be able to specify arbitrary headers, and this plan avoids that.
Gerv
sorry i wasn't clear enough in my reviews.
as the goal is to return CSP headers, the correct way to do that is to fix the CSP bug.
i don't think it makes sense to implement this via an extension, regardless of implementation. it will be trivial and faster to implement without hooks, and would benefit all bugzilla installations instead of just bmo.
Assignee | ||
Comment 5•11 years ago
|
||
We can't just "make Bugzilla support CSP", because that's Hard - Bugzilla will need a lot of internal rearranging of scripts and so on. And it could be that, either temporarily or permanently, different pages on Bugzilla require different CSP headers. Having a hook allows us to shift all that policy into an extension, and play with it there.
The first step is the simple extension I've written. A second step would be an extension which implemented a more complex policy, based on experience. The third step would be integrating it into Bugzilla itself when we were sure the policy is correct.
If this plan doesn't appeal, can you describe exactly what you mean when you say "fix the CSP bug"?
Gerv
(In reply to Gervase Markham [:gerv] from comment #5)
> If this plan doesn't appeal, can you describe exactly what you mean when you
> say "fix the CSP bug"?
basically whatever you are planning to do on bmo's system should instead happen upstream.
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #6)
> basically whatever you are planning to do on bmo's system should instead
> happen upstream.
We need to figure out what the right policy is, and the best way to do that is by writing a potential policy and using Report Only mode on a heavily-used Bugzilla instance. BMO is also significantly customized, and so may need a different policy from stock Bugzilla. For both these reasons, it makes sense to create the ability to deploy CSP on BMO via an extension (or multiple extensions - start with a simple one, and then move on to another which may vary the policy across the application), and use that to gather data, and to develop the right policies and best protections.
In Report-Only mode, the use of CSP will not cause any errors in the browsers of users.
Gerv
(In reply to Gervase Markham [:gerv] from comment #7)
> We need to figure out what the right policy is, and the best way to do that
> is by writing a potential policy and using Report Only mode on a
> heavily-used Bugzilla instance.
i disagree; we don't need to touch our production instance to gather this data, nor is CSP configuration related to how heavily a bugzilla instance is used.
> BMO is also significantly customized, and so may need a different policy from stock Bugzilla.
whatever CSP policy developed for upstream bugzilla need to accommodate extensions, and would be equally applicable to bmo.
Assignee | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•