Page MenuHomePhabricator
Create Task
Maniphest T190100

Option to enforce CSP on banner previews and flag errors
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

CentralNotice should have an option to emit Content Security Policy headers on banner previews and prominently display warnings when CSP violations are detected.

Details

ProjectBranchLines +/-Subject
operations/mediawiki-configmaster+5 -0CentralNotice: emit CSP headers on banner previews
mediawiki/extensions/CentralNoticewmf_deploy+46 -3Emit CSP headers on banner previews
operations/mediawiki-configmaster+6 -0Beta CentralNotice: emit CSP headers on banner previews
mediawiki/extensions/CentralNoticemaster+46 -3Emit CSP headers on banner previews
Customize query in gerrit

Related Objects

Event Timeline

Ejegg created this task.Mar 19 2018, 10:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 19 2018, 10:57 PM
gerritbot added a subscriber: gerritbot.Mar 20 2018, 4:30 PM

Change 420754 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@master] WIP emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/420754

Ejegg added a comment.Mar 26 2018, 7:56 PM

There's a core patch to calculate all the headers: https://gerrit.wikimedia.org/r/253969

It would be a shame to add a whole nother setting just for this patch, but we could definitely add the headers to forced banner previews without worrying about how much else we break.

Core CSP ticket: T135963

Request for comment: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy

Ejegg added a comment.Mar 27 2018, 7:54 PM

If the core CSP patch is going to take months, we certainly COULD use the attached patch and just add a new config variable with the whole set of CSP headers.

Ejegg claimed this task.Apr 4 2018, 8:26 PM
Ejegg triaged this task as High priority.
Ejegg moved this task from Review to Pending Deployment on the Fundraising Sprint Gravity wasn't always this pushy board.
Ejegg set the point value for this task to 2.
gerritbot added a comment.Apr 10 2018, 4:34 PM

Change 420754 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@master] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/420754

AndyRussG added a subscriber: AndyRussG.Apr 13 2018, 4:02 PM

@Bawolff Hi! Any thoughts on exactly what header to use (configurable via config) for this? Thanks much!!!! :)

Ejegg added a comment.Apr 13 2018, 7:32 PM

Here's the header currently in use on foundationwiki:

default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';

AndyRussG added a comment.Apr 17 2018, 7:45 PM

@Ejegg Thanks!!! That looks quite decent... On Metawiki, I don't see any script sources other than meta.wikimedia.org, so we could perhaps change *.wikimedia.org in script-src to just that?

Let's also make a config change that's appropriate for the beta cluster... That'll allow at least some brief testing (and keep banner previews working) there...

gerritbot added a comment.Apr 17 2018, 8:25 PM

Change 427235 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427235

gerritbot added a comment.Apr 17 2018, 10:13 PM

Change 427273 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427273

gerritbot added a comment.Apr 17 2018, 10:26 PM

Change 427275 had a related patch set uploaded (by Ejegg; owner: Ejegg):
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427275

gerritbot added a comment.Apr 17 2018, 10:36 PM

Change 427273 merged by jenkins-bot:
[operations/mediawiki-config@master] Beta CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427273

gerritbot added a comment.Apr 18 2018, 4:39 PM

Change 427275 merged by jenkins-bot:
[operations/mediawiki-config@master] CentralNotice: emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427275

gerritbot added a comment.Apr 18 2018, 4:47 PM

Change 427235 merged by jenkins-bot:
[mediawiki/extensions/CentralNotice@wmf_deploy] Emit CSP headers on banner previews

https://gerrit.wikimedia.org/r/427235

Stashbot added a subscriber: Stashbot.Apr 18 2018, 5:35 PM

Mentioned in SAL (#wikimedia-operations) [2018-04-18T17:35:20Z] <dereckson@tin> Synchronized wmf-config/CommonSettings.php: Emit CSP headers on banner previews (T190100, no-op for now) (duration: 01m 16s)

AndyRussG closed this task as Resolved.Apr 25 2018, 3:35 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL