Page MenuHomePhabricator
Create Task
Maniphest T246639

Consider sending restrictive CSP in cases where $wgOut->disable() is called and scripting not needed
Open, Needs TriagePublic
Actions

Description

Some examples: Exceptions, action=raw, load.php, etc.

As a precaution, it wouldn't hurt for us to send a really restrictive CSP (e.g. default-src 'self'; script-src 'none'; object-src 'none' ) as a paranoia measure for such output. There should be no active html in such a case, so it shouldn't hurt anything.

Not counting: things that output images [its a bit more complex with svg and pdf], RSS [I don't know how this interact with embedded html snippets]

Details

SubjectRepoBranchLines +/-
Send restrictive CSP header on things that do custom outputmediawiki/coremaster+39 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Mar 2 2020, 10:36 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2020, 10:36 AM
gerritbot added a comment.Mar 2 2020, 10:47 AM

Change 575993 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] [WIP] Send restrictive CSP header on things that do custom output

https://gerrit.wikimedia.org/r/575993

gerritbot added a project: Patch-For-Review.Mar 2 2020, 10:47 AM
Bawolff moved this task from Backlog to MediaWiki on the ContentSecurityPolicy board.Mar 23 2020, 12:27 AM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 28 2023, 12:24 AM
bd808 added a parent task: T28508: Content Security Policy (CSP).Jun 7 2023, 7:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL