CentralNotice should have an option to emit Content Security Policy headers on banner previews and prominently display warnings when CSP violations are detected.
Description
Details
operations/mediawiki-config : master | CentralNotice: emit CSP headers on banner previews |
mediawiki/extensions/CentralNotice : wmf_deploy | Emit CSP headers on banner previews |
operations/mediawiki-config : master | Beta CentralNotice: emit CSP headers on banner previews |
mediawiki/extensions/CentralNotice : master | Emit CSP headers on banner previews |
Related Objects
Event Timeline
Change 420754 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@master] WIP emit CSP headers on banner previews
There's a core patch to calculate all the headers: https://gerrit.wikimedia.org/r/253969
It would be a shame to add a whole nother setting just for this patch, but we could definitely add the headers to forced banner previews without worrying about how much else we break.
Core CSP ticket: T135963
Request for comment: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
If the core CSP patch is going to take months, we certainly COULD use the attached patch and just add a new config variable with the whole set of CSP headers.
Change 420754 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@master] Emit CSP headers on banner previews
@Bawolff Hi! Any thoughts on exactly what header to use (configurable via config) for this? Thanks much!!!! :)
Here's the header currently in use on foundationwiki:
default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';
@Ejegg Thanks!!! That looks quite decent... On Metawiki, I don't see any script sources other than meta.wikimedia.org, so we could perhaps change *.wikimedia.org in script-src to just that?
Let's also make a config change that's appropriate for the beta cluster... That'll allow at least some brief testing (and keep banner previews working) there...
Change 427235 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews
Change 427273 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews
Change 427275 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews
Change 427273 merged by jenkins-bot:
[operations/mediawiki-config@master] Beta CentralNotice: emit CSP headers on banner previews
Change 427275 merged by jenkins-bot:
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews
Change 427235 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews
Mentioned in SAL (#wikimedia-operations) [2018-04-18T17:35:20Z] <dereckson@tin> Synchronized wmf-config/CommonSettings.php: Emit CSP headers on banner previews (T190100, no-op for now) (duration: 01m 16s)