Skip to content

Recheck Mozilla's Observatory after #586 is fixed #585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
elliotekj opened this issue Mar 2, 2017 · 5 comments
Closed

Recheck Mozilla's Observatory after #586 is fixed #585

elliotekj opened this issue Mar 2, 2017 · 5 comments
Labels
C-bug 🐞 Category: unintended, undesired behavior

Comments

@elliotekj
Copy link
Contributor

Crates currently scores 15/100 in Mozilla’s Obervatory. I’m not familiar enough with the codebase to know how many of these policies can’t be implemented for a technical reason, but it seems like Crates could be doing better. For comparison, NPM scores 75/100 and rubygems scores 50/100.
@ghost
Copy link

ghost commented Mar 2, 2017
edited by ghost
Loading

I think most issues here are rather easy to fix, so it should be worth it. However, as far as the header issues go, I assume it can be done in Rust (like you would do <?php header(...)?>), but I would put that directly into the web server configuration if such customization is allowed.

CSP header can be directly implemented using a metatag, though it requires to think a bit about what should be allowed and what not (or simply authorize everything so that the Observatory is happy, but that sounds fishy and useless).

Anyway, that's something that contributors can't do much about, since the webserver configuration is obviously not in the repo... :)

Anyway, if @carols10cents decides that this issue should be fixed, I suggest we implement the CSP header using metatags, because otherwise, as soon as a PR involves loading an image/script from a location that's not yet authorized, the configuration of the server would have to be changed to match this new location. Quite a pain to maintain if you ask me.

@carols10cents
Copy link
Member

I think this is worth fixing, but I'm not familiar with these headers or their implications. crates.io is hosted on heroku so we don't really control the web server config.

It looks like rails apps (lots of which are hosted on heroku) just add the CSP header in the application, so that should be fine (https://github.com/blog/1477-content-security-policy)

I'd love if someone could turn each of the tasks into an issue, or at least a checklist in this issue, so we can track who's working on what and what is done or not, and discuss any issues/implications!

@alexcrichton
Copy link
Member

Oh FWIW we do have some control of a frontend server and we should also be able to set headers ourselves through middleware and such.

@ghost ghost mentioned this issue Mar 3, 2017
Closed
5 tasks
@carols10cents carols10cents changed the title Security improvements Recheck Mozilla's Observatory after #586 is fixed Mar 4, 2017
@carols10cents
Copy link
Member

Thank you for making #586 with a checklist for all the headers, @Insomgla! I've changed the title of this one to check how we're doing after those get taken care of.

@carols10cents carols10cents added the C-bug 🐞 Category: unintended, undesired behavior label Aug 2, 2017
@carols10cents
Copy link
Member

As mentioned in #597, crates.io now gets an A-! Closing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug 🐞 Category: unintended, undesired behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexcrichton @carols10cents @elliotekj