addons.mozilla.org has failed the web security baseline

[moz-hwine]

Site https://addons.mozilla.org has failed the web security baseline scan.

The failing tests are:

Cross-Domain Misconfiguration [10098] x 1

• https://addons.allizom.org/firefox/downloads/file/1096490/webextension_with_image-1.0-fx.xpi (302 Found)

This issue was automatically raised.

This issue is managed automatically by the baseline scan:

• If the failing tests change then it will be updated
• If it is closed before the tests pass then a new one will be opened
• When all of the tests pass then it will be closed

Full details, including how to test for these issues locally, can be found on this Security Baseline Service dashboard. If you have any questions or concerns please get in contact with secops+web-baseline@mozilla.com

[willdurand]

I don't know what that means but why does it mention the production site and then a -stage URL?

[willdurand]

$ curl -I https://addons.allizom.org/firefox/downloads/file/1096490/webextension_with_image-1.0-fx.xpi
HTTP/1.1 302 Found
Access-Control-Allow-Origin: *
Content-Length: 0
Content-Security-Policy: form-action 'self' https://developer.mozilla.org; child-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/recaptcha/; font-src 'self' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; media-src https://videos.cdn.mozilla.net; img-src 'self' data: blob: https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net https://addons-stage-cdn.allizom.org; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/recaptcha/; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; object-src 'none'; default-src 'self'; base-uri 'self' https://addons.mozilla.org https://addons.allizom.org; script-src https://www.google-analytics.com/analytics.js https://www.google.com/recaptcha/ https://www.recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; connect-src 'self' https://sentry.prod.mozaws.net https://www.google-analytics.com https://addons.cdn.mozilla.net https://addons-stage-cdn.allizom.org; report-uri /__cspreport__
Content-Type: text/html; charset=utf-8
Date: Tue, 08 Dec 2020 09:45:09 GMT
Location: https://addons-stage-cdn.allizom.org/user-media/addons/1004962/webextension_with_image-1.0-fx.xpi?filehash=sha256%3A09f4f42f525303f276128653802209ae725130e431ee95fe16275a1171cd7541
Public-Key-Pins: max-age=5184000; includeSubDomains; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="
Server: nginx
Strict-Transport-Security: max-age=31536000
Vary: X-Country-Code
Vary: User-Agent
X-AMO-Request-ID: a09c315c25c84c8c8cb835ba1506930a
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Target-Digest: sha256:09f4f42f525303f276128653802209ae725130e431ee95fe16275a1171cd7541
X-XSS-Protection: 1; mode=block
Connection: keep-alive

[willdurand]

@arroway could you help us figure out what this issue is about please?

[g-k]

Hey Will, Looks like it's this is error: https://www.zaproxy.org/docs/alerts/10098/ and ZAP is unhappy with the Access-Control-Allow-Origin: * CORS header.

Is it fine for the addon to be publicly accessible cross origin? (I don't think there's any risk in and it's also available via the CDN)

If so, I can update the ZAP config to ignore the CORS error. Would an exception for /firefox/downloads/file/*/*.xpi match all the download route for all the extensions?

[willdurand]

@g-k hey, I am wondering why this is failing now. Is it a new rule?

[g-k]

I'm not sure. Did anything on AMO change?

The scans were busted for awhile back or it could be a change in ZAP.

edit: looks like the rule that failed was promoted to release in 2019 https://github.com/zaproxy/zap-extensions/blob/master/addOns/pscanrules/CHANGELOG.md#25---2019-12-16 so it's probably our scanning infra. FWIW I'm looking into overhauling it in Q1.

@hwine did you hook up GH issue filing to the ZAP baseline recently?

[hwine]

@hwine did you hook up GH issue filing to the ZAP baseline recently?

No, simon set up all the baseline reporting.

[moz-hwine]

The web security baseline scan for site https://addons.mozilla.org now passes - well done team!

[g-k]

Huh, I didn't change anything.