Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Audit screenshots.firefoxusercontent.com CSP #3980

Closed
ghost opened this issue Jan 17, 2018 · 2 comments
Closed

Audit screenshots.firefoxusercontent.com CSP #3980

ghost opened this issue Jan 17, 2018 · 2 comments
Labels
security Security issue: can be an active issue, or related to security hygene

Comments

@ghost
Copy link

ghost commented Jan 17, 2018

This is the CSP for a random screenshot I took. This is for a .png:

Content-Security-Policy: 
default-src 'self'; 
img-src 'self' stable.dev.lcip.org www.google-analytics.com screenshotscdn.firefox.com screenshotscdn.firefoxusercontent.com screenshots.firefoxusercontent.com data:; 
script-src 'self' screenshotscdn.firefox.com www.google-analytics.com 'nonce-5e0216e8-8ddd-4ecb-a482-e8223956d5ff'; 
style-src 'self' screenshotscdn.firefox.com 'unsafe-inline' https://code.cdn.mozilla.net; 
connect-src 'self' screenshotscdn.firefox.com www.google-analytics.com sentry.prod.mozaws.net; 
font-src https://code.cdn.mozilla.net; 
frame-ancestors 'none'; 
object-src 'none';

I thought this domain was only for user images. If that's wrong, my questions below are probably off also, but assuming only images:

  • Why would we need images from stable.dev.lcip.org?
  • Do we actually serve any analytics off this domain? (should GA be on this list?)
  • what is that nonce script?
  • If this is only images, shouldn't script/style/connect/font all be none?
@ghost ghost added the security Security issue: can be an active issue, or related to security hygene label Jan 17, 2018
@johngruen johngruen added this to the Sprint 7 (60-2) 🏏 milestone Jan 23, 2018
@chenba
Copy link
Collaborator

chenba commented Feb 28, 2018

The short answer to those questions is that we serve one CSP header from node for all responses regardless of content type, route, host, etc.

For most routes that doesn't make sense. #4159 will stop sending CSP on image, css, script, text, and (most) json responses.

@ghost ghost modified the milestones: Sprint 7 (60-2) 🏏, Sprint 10 (61-2) ⛅ Mar 5, 2018
ianb added a commit that referenced this issue Mar 14, 2018
Stop sending CSP and frame options headers on non-documents. (#3980)
@ghost ghost modified the milestones: Sprint 10 (61-2) ⛅, Sprint 11 (61-3) 👗 Apr 16, 2018
@ghost
Copy link
Author

ghost commented Apr 30, 2018

The nonce script is for inline scripts.

Thanks Barry!

@ghost ghost closed this as completed Apr 30, 2018
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security Security issue: can be an active issue, or related to security hygene
Projects
None yet
Development

No branches or pull requests

2 participants