patch to Access-Control-Allow-Origin

[hdatma]

http-observatory/httpobs/scanner/analyzer/misc.py

+# http://www.w3.org/TR/access-control/#access-control-allow-origin-response-header
+ if 'null' in domains:
+          output['result'] = 'cross-origin-resource-sharing-is-null'
+
if '*' in domains:
            output['result'] = 'cross-origin-resource-sharing-implemented-with-universal-access'

http-observatory/httpobs/scanner/grader/grade.py

# Cross-origin resource sharing
+
+# http://www.w3.org/TR/access-control/#access-control-allow-origin-response-header
+'cross-origin-resource-sharing-is-null': {
+  'description': 'Content is not visible via cross-origin resource sharing (CORS) files or headers',
+  'modifier': +5,
+},

[april]

I'm not sure what the patch is? Can you send a PR and describe what it's doing? Thanks!

[hdatma]

https://github.com/mozilla/http-observatory-website/issues/5

[hdatma]

Since you are in Mozilla's security lab, would you please ask your supervisor to please ask their own supervisor to please put someone in charge of writing a comprehensive configuration script for the ESR source code?

You see, one thing is to say that you care about user's privacy and security, and another is to inject FF-ESR with half-baked and privacy-eroding code. The configuration script ought to opt-out (avoid compiling and be clear of) technologies like the following:

browser.pocket browser.safebrowsing browser.tabs.crashReporting browser.chrome.favicons browser.chrome.site_icons browser.newtabpage browser.snippets browser.search.geoSpecificDefaults browser.search.geoip camera.control.face_detection.enabled datareporting device.sensors dom.battery dom.gamepad dom.vibrator (on desktop!) dom.vr experiments geo.enabled geo.wifi gfx.font_rendering.graphite gfx.downloadable_fonts identity.fxaccounts loop media.webspeech media.webaudio media.peerconnection network.allow-experiments network.prefetch-next pdfjs services.sync social toolkit.telemetry toolkit.crashreporter webGL webRTC window.name

Thank you.