info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Adding CSP to bugzilla.mozilla.org
6 views
Skip to first unread message
Emma Humphries
Jan 20, 2017, 7:38:54 PM1/20/17
to dev. planning, Firefox Dev, mozilla-...@lists.mozilla.org, dev-platform, dev-a...@mozilla.org
We're about to enable a Content Security Policy (CSP)(1) on
bugzilla.mozilla.org. CSP will mitigate several types of attack on our
users and our site, including Cross-Site Request Forgery (XSRF)(2) and
Cross-Site Scripting (XSS)(3).
The first place we're deploying this is in the bug detail page in the new
Modal view (which, you may recall, we're making the default view (4)) with
a goal for the site to have complete CSP coverage.
As a side-effect of this work, CSP may break add-ons that modify the bug
detail page. If we have broken something of yours, we can quickly fix it.
We're already enabling the Socorro Lens add-on(5). You can see how that was
addressed(6)
.
Web Extensions can modify the DOM of a bug detail page through
`content.js`. You cannot load images, javascript, iframes, form actions, or
css from external sites
, u
nless we make an exception for you(7).
Long term, if you have a feature from an add-on you'd like to make part of
BMO, please seek me out on irc://irc.mozilla.org/bteam or open a new ticket
in the bugzilla.mozilla.org product in Bugzilla and set the severity to
'enhancement'(8).
Thank you,
Emma (🐞👩)
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
2: https://www.owasp.org/index.php/CSRF
3: https://www.owasp.org/index.php/XSS
4: https://groups.google.com/forum/#!topic/mozilla.dev.platform/_AFaUi3JQhs
5: https://addons.mozilla.org/en-US/firefox/addon/bugzilla-socorro-lens/
6: https://github.com/ashughes1/bugzilla-socorro-lens/issues/19
7: https://wiki.mozilla.org/BMO/Add-on_Registry
8:
https://bugzilla.mozilla.org/enter_bug.cgi?product=bugzilla.mozilla.org&bug_severity=enhancement
bugzilla.mozilla.org. CSP will mitigate several types of attack on our
users and our site, including Cross-Site Request Forgery (XSRF)(2) and
Cross-Site Scripting (XSS)(3).
The first place we're deploying this is in the bug detail page in the new
Modal view (which, you may recall, we're making the default view (4)) with
a goal for the site to have complete CSP coverage.
As a side-effect of this work, CSP may break add-ons that modify the bug
detail page. If we have broken something of yours, we can quickly fix it.
We're already enabling the Socorro Lens add-on(5). You can see how that was
addressed(6)
.
Web Extensions can modify the DOM of a bug detail page through
`content.js`. You cannot load images, javascript, iframes, form actions, or
css from external sites
, u
nless we make an exception for you(7).
Long term, if you have a feature from an add-on you'd like to make part of
BMO, please seek me out on irc://irc.mozilla.org/bteam or open a new ticket
in the bugzilla.mozilla.org product in Bugzilla and set the severity to
'enhancement'(8).
Thank you,
Emma (🐞👩)
1: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
2: https://www.owasp.org/index.php/CSRF
3: https://www.owasp.org/index.php/XSS
4: https://groups.google.com/forum/#!topic/mozilla.dev.platform/_AFaUi3JQhs
5: https://addons.mozilla.org/en-US/firefox/addon/bugzilla-socorro-lens/
6: https://github.com/ashughes1/bugzilla-socorro-lens/issues/19
7: https://wiki.mozilla.org/BMO/Add-on_Registry
8:
https://bugzilla.mozilla.org/enter_bug.cgi?product=bugzilla.mozilla.org&bug_severity=enhancement
0 new messages