See also discussion at T240960
Right now there is some differences between prod and beta CSP. Since beta should be testing for prod, we should minimize differences.
There is a question of: Do we put sources in CSP for prod wikis (So you can say load your enwiki gadget from prod). I'm not sure, but i think it makes the most sense for beta to be as much like prod as possible, in which case that means only allowing domains that are in the beta cluster.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Make Beta labs CSP settings be same as prod but with beta urls | operations/mediawiki-config | master | +44 -41 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Bawolff | T245983 Make beta cluster CSP look identical to prod, except that it uses beta urls | |||
| Resolved | Bawolff | T244124 Make CSP enforce on beta cluster | |||
| Resolved | Bawolff | T246613 Make Sentry extension register its eventgate/sentry end points as CSP sources |
Change 574405 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[operations/mediawiki-config@master] Make Beta labs CSP settings be same as prod but with beta urls
Change 574405 merged by jenkins-bot:
[operations/mediawiki-config@master] Make Beta labs CSP settings be same as prod but with beta urls
Mentioned in SAL (#wikimedia-operations) [2020-02-25T00:21:54Z] <jforrester@deploy1001> Synchronized wmf-config/InitialiseSettings.php: T245983 Set wmgApprovedContentSecurityPolicyDomains (duration: 00m 57s)
Mentioned in SAL (#wikimedia-operations) [2020-02-25T00:23:18Z] <jforrester@deploy1001> Synchronized wmf-config/CommonSettings.php: T245983 Read wmgApprovedContentSecurityPolicyDomains for CSP (duration: 00m 56s)