Archive for January, 2014

Working on CSP bug…cont’d

Posted: January 25, 2014 in Programming
Tags: , ,

Welcome to Friday evening. I am writing to tell you a little bit more following up my previous post about my involvement with Mozilla, CSP and bug fixes. Starting this week I pushed to the master/webmaker.org my fix on CSP. Shortly after that, my code has been reviewed by Jon (my thanks for his patience and help), and I got some comments on my work. Basically:

  • I did a weird mistake, implemented CSP only on index page, but I should have done it to the whole webmaker.org. Fixed add to app.js: app.use(middleware.addCSP());
  • The img-src attribute of CSP should be set to "*", because application uses images from many locations. Fixed
  • Removed not needed comments. Fixed
  • Include hosts as allowed sources for CSP, not each domain. E.g.
    module.exports.addCSP = function(options) {
      return hood.csp({ //module for CSP
        headers: [
          "Content-Security-Policy-Report-Only"
        ],
        policy: {
          'default-src': ["'self'","https://mozorg.cdn.mozilla.net",//host
    ...
    

    Fixed

  • More testing needed.Done – remove more inline script/style tags and tested in different browsers.

Found Google Map eval function, which is violated by CSP. Not Fixed – Can be?!

Basically, CSP does not allow functions use eval or new function(). I test webmakers Events page, and there are a lot of eval uses inside the Google Map API. Jon forwarded to me the follow up on google bug page -> . Some of the responses say that using other Map API could be a solution, but not for all cases. Google Map API is good, but has some problems as well. Maybe to recode some of the functions inside the google code ?! Will it work?
Other than that, I am really excited with this opportunity to contribute to Open Source community and hopefully I will make it more efficient in a reasonable time. Also thanks to Dave, Cade in IRC 🙂

Advertisements

Here I am in Open Source Development… I was so excited to take this course so I am right now. Everything started after the first class, where we got the idea of the projects that we can work on. My “weakness” and prospective view lays in JavaScript, but more specifically node.js. I looked through the Mozilla projects and decided to start with Webmaker.org.

Dave connected me with Jon, who is interested node.js and particularly at this period of time in Content Security Policy (CSP).

CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP on dev.mozilla

Jon, Dave and I had a conversation in IRC, and I was assigned with a  bug959270 , which is basically saying to implement CSP into Webmaker.org. The very first thing, that I started with was a reading about the CSP. I looked through many tutorials and examples on the web, as well as read some background information on CSP. Basically you are adding allowed domains to the CSP, also you can say that in line <script> tags are not allowed -> this will decrease web application vulnerability. The same thing works with styles. 

Before starting to work on that bug, I had to setup local version of webmaker. Last Thursday I met Ali in the CDOT, he offered me his help on that. We spent some time to setup webmaker properly and that was my start point. I was fun 🙂

I will let you know, that I am a little bit familiar with node.js and I think it is a really worth knowing technology. Also a Github is a part of the Open Source Development, and I was familiar with it before as well. So I was ready to start, but I was afraid a little bit to not to mess up everything. The bug itself is really interesting, and it is not an actual bug, it is an implementation of the new feature to the product. 

During my bug fix, I found one more bug -> bug961155 🙂 This was a real fun and excitement for me. Jon assigned that bug to me as well. So I am working on both bugs.

This Monday (Jan 20), I did a Pull Request. Right now I am in the process of reviewing my bug fix. Hopefully it will pass all the requirements, but honestly I think it won’t. 🙂

Absolutely excited with this class.