Change 420754 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@master] WIP emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/420754

There's a core patch to calculate all the headers: https://gerrit.wikimedia.org/r/253969

It would be a shame to add a whole nother setting just for this patch, but we could definitely add the headers to forced banner previews without worrying about how much else we break.

Core CSP ticket: T135963

Request for comment: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy

If the core CSP patch is going to take months, we certainly COULD use the attached patch and just add a new config variable with the whole set of CSP headers.

Change 420754 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@master] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/420754

@Bawolff Hi! Any thoughts on exactly what header to use (configurable via config) for this? Thanks much!!!! :)

Here's the header currently in use on foundationwiki:

default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';

@Ejegg Thanks!!! That looks quite decent... On Metawiki, I don't see any script sources other than meta.wikimedia.org, so we could perhaps change *.wikimedia.org in script-src to just that?

Let's also make a config change that's appropriate for the beta cluster... That'll allow at least some brief testing (and keep banner previews working) there...

Change 427235 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427235

Change 427273 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427273

Change 427275 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427275

Change 427273 merged by jenkins-bot:
[operations/mediawiki-config@master] Beta CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427273

Change 427275 merged by jenkins-bot:
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427275

Change 427235 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427235

Mentioned in SAL (#wikimedia-operations) [2018-04-18T17:35:20Z] <dereckson@tin> Synchronized wmf-config/CommonSettings.php: Emit CSP headers on banner previews (T190100, no-op for now) (duration: 01m 16s)