Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable CSP violation reporting for a small proportion of visits #14451

Open
2 tasks
stevejalim opened this issue Apr 15, 2024 · 0 comments · May be fixed by #14453
Open
2 tasks

Enable CSP violation reporting for a small proportion of visits #14451

stevejalim opened this issue Apr 15, 2024 · 0 comments · May be fixed by #14453
Assignees
@stevejalim
Labels
Backend Server stuff yo

Comments

@stevejalim
Copy link
Collaborator

stevejalim commented Apr 15, 2024
edited

Description

We don't currently enable CSP violation reports on www.mozilla.org.

This is partly because it's likely to be incredibly noisy with false positives (things like Add Ons will try to inject legitimate things, which get blocked by the rules, and if we get told about every instance of this, that'd be a lot.

Also, if we choose to use Sentry as our reporting backend (like we do for future.m.o) the volume of false positives across 100% of our traffic would rapidly exhaust the allocated Sentry quota.

However, while exploring django-csp, I found there is a setting that enables us to report for just X% of violations.

As a rough ballpark I'm assuming at least two millions pages served per day, so intially setting X to 0.5% would be ~10k pages a day. Worst-case, if every single one of those had a CSP violation on it, that's still well within our quota and would be easy to spot/tune/disable if need be.

Success Criteria

  • Bedrock has a new setting for the CSP report header, pointing to the default Sentry profile for Dev/Stage/Prod/Test/Demo
  • 0.5% of pages are served with the report-uri header, which points to an appropriate Sentry profile - we can check this by loading ~200 pages with script and checking the headers.
@stevejalim stevejalim self-assigned this Apr 15, 2024
@stevejalim stevejalim added Backend Server stuff yo WIP 🚧 Pull request is still work in progress labels Apr 15, 2024
@stevejalim stevejalim linked a pull request Apr 15, 2024 that will close this issue
Open
@stevejalim stevejalim removed the WIP 🚧 Pull request is still work in progress label Apr 16, 2024
@stevejalim stevejalim mentioned this issue Apr 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevejalim stevejalim

Labels
Backend Server stuff yo
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support CSP reporting for a configurable proportion of page requests stevejalim/bedrock
1 participant
@stevejalim