Page MenuHomePhabricator
Create Task
Maniphest T111707

Security: Remove default CSP headers in favor of handling centrally via RESTBase
Closed, ResolvedPublic
Actions

Description

The mobileapps service currently provides a set of default CSP headers. Per @GWicke's suggestion these should be removed in favor of central handling via RESTBase.

(If we decide to override the centrally provided CSP headers later, the restrictions should be tighter than they are currently. )

This is a follow-up task from the content service security review (T109023) -- see the discussion there for further background.

Details

SubjectRepoBranchLines +/-
Security: Remove CSP headers in favor of handling centrally via RESTBasemediawiki/services/mobileappsmaster+8 -33
Customize query in gerrit

Related Objects

Event Timeline

Mholloway created this task.Sep 7 2015, 4:29 PM
Mholloway raised the priority of this task from to Medium.
Mholloway updated the task description. (Show Details)
Mholloway added a project: Mobile-Content-Service.
Mholloway moved this task to Incoming on the Mobile-Content-Service board.
Mholloway added subscribers: Mholloway, GWicke.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 7 2015, 4:29 PM
gerritbot subscribed.Sep 7 2015, 6:27 PM

Change 236585 had a related patch set uploaded (by Mholloway):
Security: Remove CSP headers in favor of handling centrally via RESTBase

https://gerrit.wikimedia.org/r/236585

gerritbot added a project: Patch-For-Review.Sep 7 2015, 6:27 PM
Mholloway claimed this task.Sep 7 2015, 6:28 PM
Mholloway moved this task from Incoming to Code Review on the Mobile-Content-Service board.
Mholloway set Security to None.
Mholloway moved this task from Code Review to Tracking on the Mobile-Content-Service board.Sep 7 2015, 9:39 PM
Mholloway added a comment.Sep 7 2015, 9:47 PM

As reflected on T109023 there is ongoing discussion over how to handle CSP headers and there will likely be changes to the template. Leaving the patch open on Gerrit to rebase over template changes later.

Mholloway added a subscriber: bearND.Sep 7 2015, 9:50 PM
mobrovac closed this task as Resolved.Nov 10 2015, 12:50 AM
mobrovac subscribed.

As of PR 333, RESTBase drops the back-end service's CSP headers to the floor if the content is not HTML/SVG. Given that this service's routes all output JSON data (with the exception of mobile-html which will be removed soon anyway), the emitted headers are never received by the end client, so closing this task. The corresponding Gerrit patchset may be abandoned as well.

As a side note, the service template will allow the CSP sending to be configurable once PR 51 is merged.

gerritbot added a comment.Nov 10 2015, 2:42 PM

Change 236585 abandoned by Mholloway:
Security: Remove CSP headers in favor of handling centrally via RESTBase

Reason:
See T111707.

https://gerrit.wikimedia.org/r/236585

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL