Which tasks should we be watching? What are their plans and timelines? How will this affect us?
Description
Related Objects
- Mentioned In
- T230212: Meet with fr-online to discuss security and CSP changes around RML
- Mentioned Here
- T28508: Content Security Policy (CSP)
Event Timeline
The RFC for implementing CSP in core has a pretty clear set of steps: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
That RFC leaves till the last step fully blocking 3rd party images and iframes, but the report-only CSP currently being served does report on those. So if they go to step 6 (actually enforcing CSP on the main wikis) without adding exceptions to img-src and child-src they'll break the RML form.
Had a meeting with the security team today, where we determined that there will not be any changes coming from them in the next 6 months that will break RML for the banners. They've got a whole lot of other components to work through before they can make CSP enforcing. However, they would be happy if we had a plan to improve privacy next year for donors using that feature.