"Practical security implementation guides" and the Observatory

[wbamberg]

This is a kind of evolution of some of the discussion in https://github.com/orgs/mdn/discussions/802.

---

I've been thinking a bit about the "practical security implementation guides" section of the web security docs.

The history of this is that it was originally not on MDN, and was the backing docs for the Mozilla Observatory. In mdn/content#33793 it was moved into MDN and sort of un-branded, made into generic security guidelines documentation. The original documentation is still up on inforsec.mozilla.org: https://infosec.mozilla.org/guidelines/web_security.html.

So it currently sort of serves two purposes:

1. it's generic "security 101" documentation, and this is mostly how it presents itself
2. it's still backing docs for the Observatory, and must still do that, otherwise Observatory links will break.

This is a bit tricky, because it means we have to be careful making updates in the mode of (1), not to break the mode of (2).

Also, there is some stuff in there is highly influenced by the Observatory, and it's not clear how it sits on MDN. For example, the table in HTTP security fundamentals assigns "impact", "difficulty" and "required" to items. Is this what MDN thinks, or what the observatory thinks? For example, if I want to change a rating (because for example I think SRI should have a higher impact than "low"), who decides this? Similarly, it's not clear what "Required" means. Required for what?

So I think it might make sense to kind of corrall the stuff that the Observatory has a strong dependency on: that means really, having a section that's a kind of bridge between the Observatory and MDN, that talks about the observatory and that includes destinations for links from the observatory, and includes anything observatory-specific like the table. That then gives the rest of the section the freedom to talk about "security 101" in whichever way we see fit.

[wbamberg]

I'd like to know, as well: what are the exact links that the Observatory needs to see on MDN? What's the contract between the Observatory and MDN?

[wbamberg]

From https://developer.mozilla.org/en-US/observatory/docs/tests_and_scoring#tests_and_score_modifiers, it looks like the set of links that the Observatory expects to find are:

• CSP
• Cookie attributes
• CORS
• HTTP redirection
• Referrer Policy
• HSTS
• SRI
• X-Content-Type-Options
• X-Frame-Options/frame-ancestors
• CORP

[globau]

For example, if I want to change a rating (because for example I think SRI should have a higher impact than "low"), who decides this?

Recommendations and scoring in the Observatory are owned by Mozilla's Infrastructure Security team. General process is an issue is raised in mdn/mdn-http-observatory, then MDN-Engineering initiate the request with InfraSec in our internal issue tracker where they take over to obtain a decision. Once made, MDN-Engineering will update the implementation if required.