mozilla / concepts Goto Github PK

Just a normal, non descript 404 with a link to moz.org...might want GA for params

For qa, etc, should debug clear cookies etc.

Hello! This is your neighborhood secops team looking out for you!

The production branch on this repository is not protected against force pushes. This setting is recommended as part of Mozilla's Guidelines for a Sensitive Repository.

Anyone with admin permissions for this repository can correct the setting using this URL.

If you have any questions, or believe this issue was opened in error, please contact us and mention SOGH001-0 and this repository.

Thank you for your prompt attention to this issue.
--Firefox Operations Security team

maybe change build to rm -rf public and .cache first

Repro:

• https://firstlook.firefox.com/scroll/v3c?rc=heartbeat&rv=hate-ads
• notice that the button doesn’t have filled qargs, AND clicking the button doesn’t fill them.

Works fine IFF we include the slash.

Suggested fix:

• only call slashed URLs.

This isn't really too bad of a problem, since the index.html files will be overwritten and they will point to the new js files with the new hash, but the old js files will still be in s3, leaking 💰💵💸.

What is the schema we need

Amplitude will be a lot more flexible than GA, and we can roll really nice per-experiment reports with it.

we can make devs go to the non-slash thing but i has to be documented and we should have a real 404 for slash routes

GraphQL queries don't fail gracefully in Gatsby, meaning you have to copy an exact frontmatter syntax for each experiment or the build will fail.

This will become increasingly burdensome as more experiments are built and we want to modify or enhance syntax.

For comparing these ad-free features with an existing property (monitor), is it better to - attempt to join in Data Studio with existing GA on monitor- make a fake monitor or vpn page

We could add custom colors, sizes, whatever...

weirdly the page still loads

We need to make sure this site isn't indexable or findable on search engines

Now that basic metrics collections are in place, we should debounce events by using localStorage to ensure we only send each event type once.

STR: try to deploy on stage or prod...nothing happens

Warning: might have an privacy policy concern if we use local storage / cookies. See #2.

@gregglind to make matt decide

• concepts.firefox.com
• something.firefox.com

• GA / Amplitude
• Urls
• sec reviews

'Deploy a small service'

• check query args of all links?
• check url param handling
• screenshots during deploy?
• add stage and other links to readme

GOAL should be easy for dev / us to mostly verify that we have it right

Right now every variant needs a full markdown template, and a lot of this winds up being redundant. It might be nice to write one base template and then some sort of diffs file to track different variants that only includes the specific attributes that get changed

to make it easier to manage deployments

Query Param stripping (as part of Referrer inbound marketing) might be a Thing.

We're syncing ftl files, xpi files, and rdf files. We don't need to.

I noticed cors is set to allow *, which I think testpilot needed, but we should probably turn it off here.

• protected branches

Follow up with Security

SecOps recommends for static websites that are deployed from CircleCI directly have branch protection enabled, which can be done here: https://github.com/mozilla/concepts/settings/branches

In particular, please consider enabling at least the following:

• Require pull request reviews before merging
• Require status checks to pass before merging
• Require signed commits

We could do *.firefox.com/{$experiment}/{$branch}

What should / be?

• default CSP to block all any disallowed
• nginx configuration

In order to avoid ETP rolling out in Firefox 67, we will need to proxy metrics pings through a server. Firefox Send solves this by Sending client metrics through it's own server to an Amplitude endpoint.

We could do something similar, but right now First Look is serverless, so this will require some thinking about infra

I'm getting an error when running gatsby develop and trying to hit a localhost url such as localhost:8000/vpn/index or localhost:8000/scroll/v1a (I also tried a few others and tried trailing slashes as I saw few issues about that).

Error I'm getting is error GraphQL Error Field "image" must not have a selection since type "String" has no subfields.

See below for full output on console.

Tamaras-MacBook-Pro:concepts mozilla$ gatsby develop
success open and validate gatsby-configs — 0.006 s
success load plugins — 0.488 s
success onPreInit — 0.009 s
success initialize cache — 0.018 s
success copy gatsby files — 0.099 s
success onPreBootstrap — 0.006 s
success source and transform nodes — 0.102 s
success building schema — 0.225 s
success createPages — 0.067 s
success createPagesStatefully — 0.032 s
success onPreExtractQueries — 0.000 s
success update schema — 0.018 s
error GraphQL Error Field "image" must not have a selection since type "String" has no subfields.

file: /Volumes/development/concepts/src/templates/conceptVariant/index.js

12 | metaSecondaryLink
13 | concept {
14 | cobrand
15 | cobrandIcon {
16 | publicURL
17 | }
18 | hero {
19 | title
20 | text
21 | cta

22 | image {
| ^
23 | publicURL
24 | }
25 | }
26 | facets {
27 | title
28 | text
29 | image {
30 | publicURL
31 | }
32 | }

success extract queries from components — 0.055 s
⠁ (node:37760) DeprecationWarning: Passing lineNumber and colNumber is deprecated to @babel/code-frame. Please use codeFrameColumns.
success run graphql queries — 0.029 s — 20/20 733.15 queries/second
success write out page data — 0.009 s
success write out redirect data — 0.001 s
⠐ onPostBootstrapdone generating icons for manifest
success onPostBootstrap — 0.553 s

info bootstrap finished - 4.579709867 s

DONE Compiled successfully in 3833ms 11:20:21 AM

You can now view fx-concepts in the browser.

http://localhost:8000/

View GraphiQL, an in-browser IDE, to explore your site's data and schema

http://localhost:8000/___graphql

Note that the development build is not optimized.
To create a production build, use npm run build

ℹ ｢wdm｣:
ℹ ｢wdm｣: Compiled successfully.

TODOS:
Matt, Gregg, and Rob:

• Verify copy for all experiments. Please be sure to text button text etc.
• Verify links for all experiments
• Verify that inbound links include appropriate parameters...these should be rc={recruitment channel} and rv={recruitment variant}
• Verify that survey link is correct and that all parameters are being passed

  const rc = encodeURIComponent(params.get('rc'))
  const rv = encodeURIComponent(params.get('rv'))
  const aid = metaCleanName
  const av = metaVariant
  const t = typeof window === 'object' ? navigator.doNotTrack === "1" : false
  const debug = encodeURIComponent(params.get('debug'))
  const surveyUrl = `${metaSurveyUrl}/?rc=${rc}&rv=${rv}&aid=${aid}&av=${av}&t=${t}&debug=${debug}`

• Verify that link to blog post is working across all variants
• Provide VPN copy (we'll need to get images for this one????)

John and Wil

• Verify metrics are recording as intended
• Add VPN page
• Deploy all to Prod

As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:

1. Required Text - All text under the headings Community Participation Guidelines and How to Report, are required, and should not be altered.
2. Optional Text - The Project Specific Etiquette heading provides a space to speak more specifically about ways people can work effectively and inclusively together. Some examples of those can be found on the Firefox Debugger project, and Common Voice. (The optional part is commented out in the raw template file, and will not be visible until you modify and uncomment that part.)

If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].

(Message COC001)

Observing instead:
https://qsurvey.mozilla.com/s3/sdmt/?rc=&rv=&aid=scroll-experiment&av=vpn&t=false&debug= (edited)

right now we're adding parameters for concept name and variant...anything else we'd like to pass?

Risk Management

• The service must have performed a Rapid Risk Assessment.
• The service must be registered via a New Service issue

Development

• enable security scanning of 3rd-party libraries and dependencies

  • For node.js, use npm audit with audit-filter to review and handle exceptions (see example in speech-proxy)

• Keep 3rd-party libraries up to date (in addition to the security updates)

  • For NodeJS applications, use dependabot, renovate, or GreenKeeper

• Integrate static code analysis in CI, and avoid merging code with issues

  • Javascript applications should use ESLint with the Mozilla ruleset

Web Applications

• Must have a CSP with
  • a report-uri pointing to the service's own /__cspreport__ endpoint
  • web API responses should return default-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__ to disallowing all content rendering, framing, and report violations
  • if default-src is not none, frame-src, and object-src should be none or only allow specific origins
  • no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src
• Third-party javascript must be pinned to specific versions using Subresource Integrity (SRI)
• Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s
• Set the Secure and HTTPOnly flags on Cookies, and use sensible Expiration
• Make sure your application gets an A+ on the Mozilla Observatory
• Verify your application doesn't have any failures on the Security Baseline.
  • Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc.

Security Features

• Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.
• Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review
  • Store session keys server side (typically in a db) so that they can be revoked immediately.
  • Session keys must be changed on login to prevent session fixation attacks.
  • Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).
  • For more information about potential pitfalls see the OWASP Session Management Cheat Sheet
• Form that change state should use anti CSRF tokens. Anti CSRF tokens can be dropped for internal sites using SameSite session cookies where we are sure all users will be on Firefox 60+. Forms that do not change state (e.g. search forms) should use the 'data-no-csrf' form attribute.
• Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.
• If you are building a core Firefox service, consider adding it to the list of restricted domains in the preference extensions.webextensions.restrictedDomains. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.

Common issues

• User data must be escaped for the right context prior to reflecting it
  • When inserting user generated html into an html context:
    • Python applications should use Bleach
    • Javascript applications should use DOMPurify
• Apply sensible limits to user inputs, see input validation
  • POST body size should be small (<500kB) unless explicitly needed
• When allowing users to upload or generate content, make sure to host that content on a separate domain (eg. firefoxusercontent.com, etc.). This will prevent malicious content from having access to storage and cookies from the origin.
  • Also use this technique to host rich content you can't protect with a CSP, such as metrics reports, wiki pages, etc.
• Do not use target="_blank" in external links unless you also use rel="noopener noreferrer" (to prevent Reverse Tabnabbing)

• get GA credentials?
• write down how do to do it?

b/c of gatsby's build toolchain, we need to wrap query param extraction in

  if (typeof window !== 'undefined') {}

should we:

• be able to toggle the whole thing to redirect to moz.org or something?
• keep some kind of nondescript landing page?

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). firstlook.stage.mozaws.net:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
firstlook.stage.mozaws.net
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
firstlook.stage.mozaws.net:1:1
TypeError: window.page is undefined

There's also a window error there, but that might be related to the CSP stuff as well?