Page MenuHomePhabricator

MW CSP policy should set object-src
Closed, ResolvedPublic


Plugins are often a source of security issues (both XSS for e.g. flash and more generally). Ideally, we should set 'none' to disable them if we don't use them.

Todo: Check if TMH still uses any plugins

Event Timeline

TMH has not used any plugins for a while, at least for Wikimedia. I guess in theory you could configure it to make use of the VLC plugin, but VLC doesn't support NPAPI either any longer and when we switch from Kaltura to Videojs.

Doesn't seem like a 'thing' to me.

Change 572654 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Add object-src 'none' to MW CSP directive (configurable)

Change 572654 merged by jenkins-bot:
[mediawiki/core@master] Add object-src 'none' to MW CSP directive (configurable)