A significant portion of security vulnerabilities in MediaWiki are XSS vulnerabilities. Content-Security-Policy is an HTTP header that allows you to disable certain HTML features, which are commonly used when exploiting XSS vulnerabilities. Adopting CSP has the potential to make MediaWiki sites significantly more safe.
See https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy for the full proposal. See http://www.w3.org/TR/CSP2/ for the official CSP spec.
- Only way that's left <script src="foo"> where foo is a whitelist, or <script nonce="bar"> where bar is in the http header
- This will break a lot of old gadgets. JS code following modern conventions mostly won't break. Nonetheless this will probably make a lot of local admins angry. I think this cost is worth the vast benefits, however we will need to provide support to communities to help them deal with the change
- On the bright side, this will force people to update old code that is using dangerous patterns. Local on-wiki JS is definitely one of our weakest spots security wise.
- We can enable CSP piece by piece, starting non-controversial, and working our way up. We can also enable a report-only mode to see what will break beforehand.