Closed
Bug 996251
Opened 11 years ago
Closed 11 years ago
Vendor Sec Review: UserVoice.com
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: groovecoder, Assigned: curtisk)
References
Details
Attachments
(1 file)
|
557.61 KB,
application/pdf
|
Details |
To facilitate developer feedback into the Firefox Developer Tools team, we want to add a UserVoice.com widget to MDN. [1]
So, can we review UserVoice.com and their widget implementation [2] for any security and/or privacy blockers.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=994738
[2] https://developer.uservoice.com/docs/widgets/methods/#embed-widget
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → curtisk
Whiteboard: [pending secreview]
|
Reporter | |
Comment 1•11 years ago
|
||
:curtisk - any update here? The ffdevtools UserVoice forums just launched and we'd like to give them a boost w/ referral traffic from MDN.
https://hacks.mozilla.org/2014/05/launching-feedback-channels-let-us-know-your-ideas-for-firefox-developer-tools/
Flags: needinfo?(curtisk)
|
|
||
Comment 2•11 years ago
|
||
(In reply to Luke Crouch [:groovecoder] from comment #1)
> :curtisk - any update here? The ffdevtools UserVoice forums just launched
> and we'd like to give them a boost w/ referral traffic from MDN.
>
> https://hacks.mozilla.org/2014/05/launching-feedback-channels-let-us-know-
> your-ideas-for-firefox-developer-tools/
I believe I (or Maris, Justin) need to reach out to them qith a number of questions, outlined in bug 1000106.
|
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to Robert Nyman from comment #2)
> (In reply to Luke Crouch [:groovecoder] from comment #1)
> > :curtisk - any update here? The ffdevtools UserVoice forums just launched
> > and we'd like to give them a boost w/ referral traffic from MDN.
> >
> > https://hacks.mozilla.org/2014/05/launching-feedback-channels-let-us-know-
> > your-ideas-for-firefox-developer-tools/
>
> I believe I (or Maris, Justin) need to reach out to them qith a number of
> questions, outlined in bug 1000106.
correct
Flags: needinfo?(curtisk)
|
|
Reporter | |
Comment 4•11 years ago
|
||
:curtisk - we have effectively WONTFIX'd bug 1000106 unless it's required for this widget. So, we would source the widget from http://ffdevtools.uservoice.com/ instead of a Mozilla sub-domain.
Do you have enough information in bug 994738 to review the security of that implementation?
Flags: needinfo?(curtisk)
|
|
Assignee | |
Comment 5•11 years ago
|
||
So I am a bit confused, we have a JS widget that is on a Mozilla domain but is hosted on a non-Mozilla domain? Is this a vendor type of relationship?
From a security perspective this is not optimal.
In a quick look a the site they appear to have inline styles, which makes CSP harder (but not impossible).
I did a cursory scan using ZAP and found the site and found one issue, it's a medium but I'd prefer not to put that in a public bug so I'll likely file a blocking bug to this bug with that issue. There are a bunch of low severtity issues, but right now I don't feel they are concerning enough to file individual bugs on. I may just file a single bug with the scan results.
Flags: needinfo?(curtisk)
|
|
Assignee | |
Comment 6•11 years ago
|
||
i would also point Minion at this, but since it's not a mozilla domain I would want permission before pointing more powerful tools at this domain
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(lcrouch)
|
|
||
Comment 7•11 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #5)
> So I am a bit confused, we have a JS widget that is on a Mozilla domain but
> is hosted on a non-Mozilla domain? Is this a vendor type of relationship?
>
> From a security perspective this is not optimal.
> In a quick look a the site they appear to have inline styles, which makes
> CSP harder (but not impossible).
I think there will often be cases where this is needed, though, albeit not optimal. Google Analytics is the biggest ones but cases like this also show where 3rd party services offer widgets that they host themselves. (and for us to build an implementation using their API would be impossible or not cost efficient)
Based on our sec review and its results I believe the next step would be for us to reach out to them and ask them to fix that before we can implement it (I have contacts there, so let me know if I can help).
|
|
Assignee | |
Comment 8•11 years ago
|
||
Based on the criteria we've used before 9https://wiki.mozilla.org/Security/Process/Vendor_Reviews/Risk_Categories) this is likely a Tier-3 type of system anyway (no sensitive data). The biggest risk to us would be in terms of perception if it were used to deface or otherwise misuse. So we likely don't need to go super deep with regards to security here. That said, I would like the questions from the vendor review (bug 1000106 #c4) to at least be documented as best we can. If we can get that I would be fairly comfortable resolving these bugs and moving on.
|
|
||
Comment 9•11 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #8)
> Based on the criteria we've used before
> 9https://wiki.mozilla.org/Security/Process/Vendor_Reviews/Risk_Categories)
> this is likely a Tier-3 type of system anyway (no sensitive data). The
> biggest risk to us would be in terms of perception if it were used to deface
> or otherwise misuse. So we likely don't need to go super deep with regards
> to security here. That said, I would like the questions from the vendor
> review (bug 1000106 #c4) to at least be documented as best we can. If we can
> get that I would be fairly comfortable resolving these bugs and moving on.
Sounds fair. I'll reach out to them with the questions in bug 1000106 and will get back with the answers.
|
|
||
Comment 10•11 years ago
|
||
Curtis, is this sufficient information?
https://www.uservoice.com/compliance/
Flags: needinfo?(curtisk)
|
|
Assignee | |
Comment 11•11 years ago
|
||
PDF printed snapshot of https://www.uservoice.com/compliance/ taken2014-08-22
Flags: needinfo?(curtisk)
|
|
Assignee | |
Comment 12•11 years ago
|
||
I would have preferred our standard set just for consistency but given that this is a Tier 3 type of system/relationship (https://wiki.mozilla.org/Security/Process/Vendor_Reviews/Risk_Categories#Tier_3:_Risk_Level_Low) I don't think we need to beat on this any longer. Assuming legal and privacy teams don't have further concerns I don't see a reason why this can't proceed.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(lcrouch)
Resolution: --- → FIXED
|
|
Reporter | |
Comment 13•11 years ago
|
||
:curtisk - can you cc me and/or Robert on those bugs too so we can help pull them thru the process?
Flags: needinfo?(curtisk)
|
|
||
Comment 15•11 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #12)
> I would have preferred our standard set just for consistency but given that
> this is a Tier 3 type of system/relationship
> (https://wiki.mozilla.org/Security/Process/Vendor_Reviews/
> Risk_Categories#Tier_3:_Risk_Level_Low) I don't think we need to beat on
> this any longer. Assuming legal and privacy teams don't have further
> concerns I don't see a reason why this can't proceed.
Thanks Curtis! I also have your outstanding questions to them just in case, but good that we can move forward with this!
You need to log in
before you can comment on or make changes to this bug.
Description
•