Page MenuHomePhabricator
Create Task
Maniphest T229607

Look into CSP changes in core
Closed, ResolvedPublic0 Estimated Story Points
Actions

Description

Which tasks should we be watching? What are their plans and timelines? How will this affect us?

Related Objects

Event Timeline

DStrine created this task.Aug 1 2019, 6:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 1 2019, 6:49 PM
DStrine moved this task from Triage to Sprint +1 on the Fundraising-Backlog board.Aug 2 2019, 4:27 PM
DStrine assigned this task to Ejegg.Aug 6 2019, 8:31 PM
DStrine moved this task from Sprint +1 to Current Sprint on the Fundraising-Backlog board.
DStrine added a project: Fundraising Sprint Princess Mongodb.Aug 6 2019, 9:07 PM
Ejegg added a comment.Aug 9 2019, 1:45 PM

The grandparent task for CSP in core is T28508

Ejegg added a comment.Aug 9 2019, 1:54 PM

The RFC for implementing CSP in core has a pretty clear set of steps: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy

Ejegg added a comment.Aug 9 2019, 2:06 PM

That RFC leaves till the last step fully blocking 3rd party images and iframes, but the report-only CSP currently being served does report on those. So if they go to step 6 (actually enforcing CSP on the main wikis) without adding exceptions to img-src and child-src they'll break the RML form.

DStrine added a comment.Aug 9 2019, 4:03 PM

Thanks for looking into this @Ejegg. How does this impact our us and our projects?

DStrine mentioned this in T230212: Meet with fr-online to discuss security and CSP changes around RML.Aug 9 2019, 4:26 PM
Pcoombe subscribed.Aug 9 2019, 5:59 PM
Ejegg moved this task from Backlog to Doing on the Fundraising Sprint Princess Mongodb board.Aug 9 2019, 9:13 PM
DStrine added a project: Fundraising Sprint Quick and the Deadlocked.Aug 20 2019, 8:43 PM
Ejegg moved this task from Backlog to Doing on the Fundraising Sprint Quick and the Deadlocked board.Aug 21 2019, 2:32 AM
Ejegg added a comment.Aug 21 2019, 9:35 PM

Had a meeting with the security team today, where we determined that there will not be any changes coming from them in the next 6 months that will break RML for the banners. They've got a whole lot of other components to work through before they can make CSP enforcing. However, they would be happy if we had a plan to improve privacy next year for donors using that feature.

Ejegg moved this task from Doing to Review on the Fundraising Sprint Quick and the Deadlocked board.Aug 21 2019, 9:35 PM
Ejegg moved this task from Review to Deployed on the Fundraising Sprint Quick and the Deadlocked board.
Pcoombe added a comment.Aug 22 2019, 12:17 PM

That's good to know, thanks @Ejegg!

Ejegg closed this task as Resolved.Aug 26 2019, 8:20 PM
Ejegg triaged this task as Medium priority.
jbolorinos-ctr subscribed.Sep 2 2020, 7:24 PM
jbolorinos-ctr unsubscribed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL