Page MenuHomePhabricator

Option to enforce CSP on banner previews and flag errors
Closed, ResolvedPublic2 Story Points

Description

CentralNotice should have an option to emit Content Security Policy headers on banner previews and prominently display warnings when CSP violations are detected.

Details

Related Gerrit Patches:
operations/mediawiki-config : masterCentralNotice: emit CSP headers on banner previews
mediawiki/extensions/CentralNotice : wmf_deployEmit CSP headers on banner previews
operations/mediawiki-config : masterBeta CentralNotice: emit CSP headers on banner previews
mediawiki/extensions/CentralNotice : masterEmit CSP headers on banner previews

Event Timeline

Ejegg created this task.Mar 19 2018, 10:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 19 2018, 10:57 PM

Change 420754 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@master] WIP emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/420754

Ejegg added a comment.Mar 26 2018, 7:56 PM

There's a core patch to calculate all the headers: https://gerrit.wikimedia.org/r/253969

It would be a shame to add a whole nother setting just for this patch, but we could definitely add the headers to forced banner previews without worrying about how much else we break.

Core CSP ticket: T135963

Request for comment: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy

Ejegg added a comment.Mar 27 2018, 7:54 PM

If the core CSP patch is going to take months, we certainly COULD use the attached patch and just add a new config variable with the whole set of CSP headers.

Ejegg claimed this task.Apr 4 2018, 8:26 PM
Ejegg triaged this task as High priority.
Ejegg set the point value for this task to 2.

Change 420754 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@master] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/420754

@Bawolff Hi! Any thoughts on exactly what header to use (configurable via config) for this? Thanks much!!!! :)

Ejegg added a comment.Apr 13 2018, 7:32 PM

Here's the header currently in use on foundationwiki:

default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';

@Ejegg Thanks!!! That looks quite decent... On Metawiki, I don't see any script sources other than meta.wikimedia.org, so we could perhaps change *.wikimedia.org in script-src to just that?

Let's also make a config change that's appropriate for the beta cluster... That'll allow at least some brief testing (and keep banner previews working) there...

Change 427235 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427235

Change 427273 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427273

Change 427275 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427275

Change 427273 merged by jenkins-bot:
[operations/mediawiki-config@master] Beta CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427273

Change 427275 merged by jenkins-bot:
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427275

Change 427235 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427235

Mentioned in SAL (#wikimedia-operations) [2018-04-18T17:35:20Z] <dereckson@tin> Synchronized wmf-config/CommonSettings.php: Emit CSP headers on banner previews (T190100, no-op for now) (duration: 01m 16s)

AndyRussG closed this task as Resolved.Apr 25 2018, 3:35 PM