Ensure that secrets cannot be leaked into client-side bundles.

[muffinresearch]

We currently split out client keys by virtue of a client-only config [1] which is a stand-in for the config module used under node this relies on the webpack define plugin.

Whilst we have tests for how that it setup we don't have anything that can provide a cast-iron guarantee that secrets exposed via the config in [2] (Most likely overriden via env vars through [3] ) that they wouldn't end up in client-side code.

One solution would be to add tests to make sure no code from config is found in the built bundles.

A better solution might be to never configure secrets via the general config modules since they are shared (albeit to a limited degree) and to instead rely on some kind of config which will only run on the server?

[1] https://github.com/mozilla/addons-frontend/blob/master/src/core/client/config.js [2] https://github.com/mozilla/addons-frontend/tree/master/config [3] https://github.com/mozilla/addons-frontend/blob/master/config/custom-environment-variables.json

┆Issue is synchronized with this Jira Task

[kumar303]

Yeah, maybe we could make a literal serverConfig object which is isolated from any other config. If some value is only needed on the server then it doesn't need to be available elsewhere. For example, serverPort and serverHost don't need to be in any shared config.

[kumar303]

Here is a lint rule that will help achieve this goal: https://github.com/mozilla/addons/issues/2017

[muffinresearch]

Maybe superceded by https://github.com/mozilla/addons/issues/10396

[KevinMind]

Old Jira Ticket: https://mozilla-hub.atlassian.net/browse/ADDFRNT-113