mozilla / concepts Goto Github PK
View Code? Open in Web Editor NEWStatic site tool for generating product concepts
Static site tool for generating product concepts
Just a normal, non descript 404 with a link to moz.org...might want GA for params
For qa, etc, should debug clear cookies etc.
Hello! This is your neighborhood secops team looking out for you!
The production branch on this repository is not protected against force pushes. This setting is recommended as part of Mozilla's Guidelines for a Sensitive Repository.
Anyone with admin permissions for this repository can correct the setting using this URL.
If you have any questions, or believe this issue was opened in error, please contact us and mention SOGH001-0 and this repository.
Thank you for your prompt attention to this issue.
--Firefox Operations Security team
maybe change build to rm -rf public and .cache first
Repro:
Works fine IFF we include the slash.
Suggested fix:
This isn't really too bad of a problem, since the index.html files will be overwritten and they will point to the new js files with the new hash, but the old js files will still be in s3, leaking 💰💵💸.
What is the schema we need
Amplitude will be a lot more flexible than GA, and we can roll really nice per-experiment reports with it.
we can make devs go to the non-slash thing but i has to be documented and we should have a real 404 for slash routes
GraphQL queries don't fail gracefully in Gatsby, meaning you have to copy an exact frontmatter syntax for each experiment or the build will fail.
This will become increasingly burdensome as more experiments are built and we want to modify or enhance syntax.
For comparing these ad-free features with an existing property (monitor), is it better to - attempt to join in Data Studio with existing GA on monitor- make a fake monitor or vpn page
We could add custom colors, sizes, whatever...
We need to make sure this site isn't indexable or findable on search engines
Now that basic metrics collections are in place, we should debounce events by using localStorage to ensure we only send each event type once.
STR: try to deploy on stage or prod...nothing happens
Warning: might have an privacy policy concern if we use local storage / cookies. See #2.
@gregglind to make matt decide
'Deploy a small service'
GOAL should be easy for dev / us to mostly verify that we have it right
Right now every variant needs a full markdown template, and a lot of this winds up being redundant. It might be nice to write one base template and then some sort of diffs file to track different variants that only includes the specific attributes that get changed
to make it easier to manage deployments
Query Param stripping (as part of Referrer inbound marketing) might be a Thing.
We're syncing ftl files, xpi files, and rdf files. We don't need to.
I noticed cors is set to allow *, which I think testpilot needed, but we should probably turn it off here.
Follow up with Security
SecOps recommends for static websites that are deployed from CircleCI directly have branch protection enabled, which can be done here: https://github.com/mozilla/concepts/settings/branches
In particular, please consider enabling at least the following:
We could do *.firefox.com/{$experiment}/{$branch}
What should /
be?
In order to avoid ETP rolling out in Firefox 67, we will need to proxy metrics pings through a server. Firefox Send solves this by Sending client metrics through it's own server to an Amplitude endpoint.
We could do something similar, but right now First Look is serverless, so this will require some thinking about infra
I'm getting an error when running gatsby develop
and trying to hit a localhost url such as localhost:8000/vpn/index
or localhost:8000/scroll/v1a
(I also tried a few others and tried trailing slashes as I saw few issues about that).
Error I'm getting is error GraphQL Error Field "image" must not have a selection since type "String" has no subfields.
See below for full output on console.
Tamaras-MacBook-Pro:concepts mozilla$ gatsby develop
success open and validate gatsby-configs — 0.006 s
success load plugins — 0.488 s
success onPreInit — 0.009 s
success initialize cache — 0.018 s
success copy gatsby files — 0.099 s
success onPreBootstrap — 0.006 s
success source and transform nodes — 0.102 s
success building schema — 0.225 s
success createPages — 0.067 s
success createPagesStatefully — 0.032 s
success onPreExtractQueries — 0.000 s
success update schema — 0.018 s
error GraphQL Error Field "image" must not have a selection since type "String" has no subfields.
file: /Volumes/development/concepts/src/templates/conceptVariant/index.js
12 | metaSecondaryLink
13 | concept {
14 | cobrand
15 | cobrandIcon {
16 | publicURL
17 | }
18 | hero {
19 | title
20 | text
21 | cta
22 | image {
| ^
23 | publicURL
24 | }
25 | }
26 | facets {
27 | title
28 | text
29 | image {
30 | publicURL
31 | }
32 | }
success extract queries from components — 0.055 s
⠁ (node:37760) DeprecationWarning: Passing lineNumber and colNumber is deprecated to @babel/code-frame. Please use codeFrameColumns
.
success run graphql queries — 0.029 s — 20/20 733.15 queries/second
success write out page data — 0.009 s
success write out redirect data — 0.001 s
⠐ onPostBootstrapdone generating icons for manifest
success onPostBootstrap — 0.553 s
info bootstrap finished - 4.579709867 s
DONE Compiled successfully in 3833ms 11:20:21 AM
You can now view fx-concepts in the browser.
View GraphiQL, an in-browser IDE, to explore your site's data and schema
http://localhost:8000/___graphql
Note that the development build is not optimized.
To create a production build, use npm run build
ℹ 「wdm」:
ℹ 「wdm」: Compiled successfully.
TODOS:
Matt, Gregg, and Rob:
const rc = encodeURIComponent(params.get('rc'))
const rv = encodeURIComponent(params.get('rv'))
const aid = metaCleanName
const av = metaVariant
const t = typeof window === 'object' ? navigator.doNotTrack === "1" : false
const debug = encodeURIComponent(params.get('debug'))
const surveyUrl = `${metaSurveyUrl}/?rc=${rc}&rv=${rv}&aid=${aid}&av=${av}&t=${t}&debug=${debug}`
John and Wil
As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:
If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].
(Message COC001)
Observing instead:
https://qsurvey.mozilla.com/s3/sdmt/?rc=&rv=&aid=scroll-experiment&av=vpn&t=false&debug= (edited)
right now we're adding parameters for concept name and variant...anything else we'd like to pass?
enable security scanning of 3rd-party libraries and dependencies
npm audit
with audit-filter to review and handle exceptions (see example in speech-proxy)Keep 3rd-party libraries up to date (in addition to the security updates)
Integrate static code analysis in CI, and avoid merging code with issues
/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should be none
or only allow specific originsextensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.target="_blank"
in external links unless you also use rel="noopener noreferrer"
(to prevent Reverse Tabnabbing)b/c of gatsby's build toolchain, we need to wrap query param extraction in
if (typeof window !== 'undefined') {}
should we:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). firstlook.stage.mozaws.net:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
firstlook.stage.mozaws.net
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
firstlook.stage.mozaws.net:1:1
TypeError: window.page is undefined
There's also a window error there, but that might be related to the CSP stuff as well?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.