In bug 1513311 for "remote css" we restricted urls to resource chrome https://img-getpocket.cdn.mozilla.net

There's a number of requests including layout endpoint, spoc endpoint, feed endpoint, article images, article links.

If any of those are not local, they probably should restrict which domains, requires https, no cookies, etc.

Not sure how we want to deal with testing/development ergonomics at least for the layout endpoint… perhaps nightly/dev builds are allowed a larger list of domains?

I'm fairly sure that in production all spoc and recommendation feeds will come from https://getpocket.cdn.mozilla.net and all images come from https://img-getpocket.cdn.mozilla.net. During development we also use https://*.dev.readitlater.com or https://getpocket.com.

Are you able to whitelist *.mozilla.net, *.readitlater.com, and getpocket.com? All of these work on HTTPS, so it's fine to require that.

Checked with Nick, and the above list is good for this release.

Ed, is this required for 66?

[Tracking Requested - why for this release]: part of Pocket + newtab mvp

k88hudson, I believe we can wontfix this for 66 if bug 1524669 (already tracking66+) will cover both article images and links? The remaining item here would be feed requests, and I believe the meeting last week we decided that it wouldn't be necessary for 66 experiments to ensure those are of the allowed domains.

Also, it was confirmed that the approach of having a whitelist in a pref is acceptable and that for development/manual testing, that person should change the pref to include the desired additional dev domain, etc. For automation, we probably want to allow data uris too.

This seems reasonable. Just to clarify, you also mean that we should also whitelist image URLs via a separate whitelist pref?

Confirmed that restricting image URLs more than protocol (already covered by CSP) to some domains is not necessary and is potentially undesired if we need to change image endpoints. So the main concern is just whitelisting the layout and article/spoc feed requests.

QA steps:

1. try to change .config layout endpoint to https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=dev-test-all (note getpocket.com instead of cdn)

2. open new tab and verify it didn't change layout

3. change browser.newtabpage.activity-stream.discoverystream.endpoints to "https://getpocket.com/"

4. change layout endpoint to https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic

5. open new tab and verify it changed to that layout but has no articles (error console should show something like Failed to fetch https://getpocket.cdn.mozilla.net/v3/… Not one of allowed prefixes (https://getpocket.com/)

6. change .endpoints to "https://getpocket.com/,https://getpocket.cdn.mozilla.net/"

7. change layout endpoint to https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=66-beta-2-complex

8. open new tab and verify it changed to that layout with articles

Brahmini, you're up! QA instructions in #c9 above

This bug hasn't made it to nightly yet, it should make it in by tomorrow (i.e. is not ready for testing yet)

Thanks for the update. Can you NI me when it's ready.

https://hg.mozilla.org/mozilla-central/rev/a34bdd9a2ebc

QA Results: Pass

Tested on :

FF Nightly version : 68.0a1 (2019-03-18)
OS : Mac and Windows 10 Pro

Works as expected on latest Nightly.

Marking as verified.