alexgibson
commented
1 year ago @stevejalim is this issue still relevant / needed?
Closed stevejalim closed 4 months ago
alexgibson
commented
1 year ago @stevejalim is this issue still relevant / needed?
stevejalim
commented
1 year ago It would be good to do, but not essential - some people might find it odd that assets are loaded from .mozilla.org and it also means we have to have .mozilla.org in the CSP allowlist for Pocket Mode. Creating a domain-level alias for the same assets bucket would mean we could tidy this up
Description
At the moment getpocket.com's marketing pages load marketing assets (css, js, images) from the same S3 bucket that Mozorg uses.
While we can't yet separate those bundles, we could add a CNAME for the bucket so that we can load the assets from a getpocket.com subdomain (eg marketing-pages-assets.getpocket.com, avoiding any potential clash with a subdomain used by the core Pocket webapp).
This would allow us to tighten up the CSP config for Pocket Mode , so that it no longer has to allow www.mozilla.org in prod.
(Ideally we'd also do this for dev and staging, to avoid having to include *.allizom.org in our Pocket-Mode CSP config too)
Success Criteria