Join the Webstudio community

Updated 6 months ago

Http observatory

At a glance
I found a (new to me) tool on MDN. Their "HTTP Observatory" https://developer.mozilla.org/en-US/observatory. I tried a few different websites and then Webstudio's. I needed to use the legacy version of the tool because the status code was not 200. https://observatory.mozilla.org/analyze/webstudio.is

The attached image has the same issues on a few sites that I've published with Webstudio. Is this something that can be improved on my side (cloudflare or within the builder) or will it need to be Webstudio hosting?
Attachment
CleanShot_2024-08-07_at_13.59.342x.png
1
B
J
O
20 comments
I heard something in news podcast. They just merged with mdn.
I was just reading some docs and saw that link for the first time. Looks like they merged recently. https://developer.mozilla.org/en-US/blog/mdn-http-observatory-launch/
Http observatory
@Oleg Isonen, is this something I could handle with Cloudflare or would I need to make a request in Webstudio?
what specifically do you mean? setting those additionals headers?
Yes, that's what I mean.
You can surely set them if you proxy requests via worker or maybe even just in cf settings not sure, but we should set those headers ourselves anyways.

I am not sure any of these are actually a security threat in our case @Ivan Starkov would know more
@Ivan Starkov should we cretae an issue?
All such headers are usually on framework ie remix in our case. Anyway same can be done with meta tags - <meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src https://*; child-src 'none';" />
Not sure we need this as we are allowing 3rd party scripts, we are allowing 3rd party images etc. And as of now default policies covers this
should we create an issue to keep these reports somewhere in case this discussion comes up again? would be good to have a pointer to link to with these specific answers there
Because I don't like security allegations
If you are wrong for some reason, then they can argument in that issue
please put your respond for those we don't need to do there and why, then we can do the remaining once that we need to do
Based on our permissive model we can add permissive header on everything same as nothing
Just to make that tool silent
But if it covers with meta tags have no idea will it prefer meta or header
Until we allow everything its not a security issue
I think there are 3 headers mentioned there, are they all not a security issue? Can you please address each of them individually in the issue. If its not a security concern, its fine, I just want to have a written statement in the issue I can link to if this comes up again.
Thank you both for looking into this!
Add a reply
Sign up and join the conversation on Discord