mozilla
Ensure that secrets cannot be leaked into client-side bundles.
We currently split out client keys by virtue of a client-only config [1] which is a stand-in for the config module used under node this relies on the webpack define plugin.
Whilst we have tests for how that it setup we don't have anything that can provide a cast-iron guarantee that secrets exposed via the config in [2] (Most likely overriden via env vars through [3] ) that they wouldn't end up in client-side code.
One solution would be to add tests to make sure no code from config is found in the built bundles.
A better solution might be to never configure secrets via the general config modules since they are shared (albeit to a limited degree) and to instead rely on some kind of config which will only run on the server?
[1] https://github.com/mozilla/addons-frontend/blob/master/src/core/client/config.js [2] https://github.com/mozilla/addons-frontend/tree/master/config [3] https://github.com/mozilla/addons-frontend/blob/master/config/custom-environment-variables.json
┆Issue is synchronized with this Jira Task
