Hi All,
This week we shipped FxA train-78 to production, with the following
highlights:
* Improved logging for cases where we get an email bounce notification
without corresponding flow-event data.
* Fixed the logging of flow events for auth-server errors, which
should tell us more about where and why users are failing out
of the signup funnel.
* We've removed `unsafe-eval` from our CSP rules, which we previously
had in place to support Selenium tests. This leaves us with no
report-only CSP rules, a nice win for thoroughness of our security.
* More PRs in our continuing quest to stabilize functional tests.
* We now stringify WebChannel payloads when sending to Firefox 50
or higher, as an additional defense-in-depth security measure
for client code; see this bug for details on why:
https://bugzilla.mozilla.org/show_bug.cgi?id=1275616
* Right-to-left text rendering now works properly in the devices &
apps view.
* External links on about:accounts will now open in new tabs, which
should make them work properly on e.g. Fennec.
* The "reset password" page now includes the name of the relier to
which you're logging it in, to guard against possible phishing
attempts if a user is tricked into clicking through to the
reset page.
* Several security-related headers have been added to oauth-server
and profile-server endpoints, to guard against e.g. clickjacking
attempts.
* The customs-server can now report badly-behaved IPs to an external
"ip reputation" service that the cloud security team are developing.
It's not enabled in production yet though.
* The profile-server now coerces all its db connections into strict
mode, regardless of what mode is configured as default on the
database. If this change seems to work out OK in production we'll
roll it out to other servers in the stack as well.
Special thanks this week go to Greg Guthe, who contributed the
security-header and ip-reputation fixes. Thanks Greg!
As always, you can find more details in the changelogs for each repo:
https://github.com/mozilla/fxa-auth-server/blob/v1.78.3/CHANGELOG.md
https://github.com/mozilla/fxa-content-server/blob/v0.78.1/CHANGELOG.md
https://github.com/mozilla/fxa-oauth-server/blob/v0.78.0/CHANGELOG.md
https://github.com/mozilla/fxa-customs-server/blob/v0.78.0/CHANGELOG.md
https://github.com/mozilla/fxa-profile-server/blob/v0.78.0/CHANGELOG.md
There are also detailed PR metrics included below if you're interested.
Cheers,
Ryan
------------
This train we are shipping work on the following features:
* FxA-89: devices view: 2 PRs (now 49 / 55 = 89% complete)
As well as 31 general quality improvements.
_______________________________________________
Dev-fxacct mailing list
Dev-fxacct@mozilla.org
https://mail.mozilla.org/listinfo/dev-fxacct
