MW CSP policy should set object-src
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Bawolff
	Nov 25 2019, 8:30 AM

Description

Plugins are often a source of security issues (both XSS for e.g. flash and more generally). Ideally, we should set 'none' to disable them if we don't use them.

Todo: Check if TMH still uses any plugins

Details

	Subject	Repo	Branch	Lines +/-
	Add object-src 'none' to MW CSP directive (configurable)	mediawiki/core	master	+67 -34

Customize query in gerrit

Event Timeline

Bawolff created this task.Nov 25 2019, 8:30 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 25 2019, 8:30 AM

Bawolff moved this task from Backlog to MediaWiki on the ContentSecurityPolicy board.Nov 25 2019, 8:30 AM

TMH has not used any plugins for a while, at least for Wikimedia. I guess in theory you could configure it to make use of the VLC plugin, but VLC doesn't support NPAPI either any longer and when we switch from Kaltura to Videojs.

Doesn't seem like a 'thing' to me.

Change 572654 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Add object-src 'none' to MW CSP directive (configurable)

https://gerrit.wikimedia.org/r/572654

gerritbot added a project: Patch-For-Review.Feb 17 2020, 12:16 PM

Change 572654 merged by jenkins-bot:
[mediawiki/core@master] Add object-src 'none' to MW CSP directive (configurable)

https://gerrit.wikimedia.org/r/572654

WFM.

Maintenance_bot removed a project: Patch-For-Review.Feb 19 2020, 1:10 AM

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.21; 2020-02-25).Feb 19 2020, 2:00 AM

MW CSP policy should set object-srcClosed, ResolvedPublicActions

Description

Details

Event Timeline

MW CSP policy should set object-src
Closed, ResolvedPublic
Actions