As a defense in depth follow up to T247569: Investigate 3rd party assets loaded by techblog it would be ideal to configure techblog to serve a Content-Security-Policy header which allows direct asset loading only from *.wikimedia.org (covers blog, commons, piwik, etc).
This would need to be tweaked a bit to also function with the as still to be setup staging copy of the blog.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | bd808 | T248130 Add CSP header to techblog.wikimedia.org to block 3rd party assets | |||
| Resolved | bd808 | T247569 Investigate 3rd party assets loaded by techblog |
The CSP rules may need to vary on auth state to accommodate the need to load data from wordpress.com for authenticated users. Needs testing for sure.
Maybe a report-only ruleset and a collector for those reports would be a reasonable way to test out rules? The existing collector at https://tools.wmflabs.org/csp-report/ could be forked to make a collector for the blog if we can't find another place to collect reports.
https://plugins.trac.wordpress.org/browser/content-security-policy-pro/trunk/public/class-content-security-policy-public.php may provide some inspiration.
If you wanted to, you could probably use the prod collector if you want (It just logs to logstash)
We may want to allow phab.wmfusercontent.org as well depending on how porting post over from Phame blogs ends up happening.
$ curl -I https://techblog.wikimedia.org/ 2>/dev/null | grep content-security-policy content-security-policy: default-src 'self' *.wikimedia.org; base-uri 'self'; font-src data: 'self' *.wikimedia.org; img-src data: https://phab.wmfusercontent.org 'self' *.wikimedia.org; script-src 'unsafe-inline' 'self' *.wikimedia.org; style-src 'unsafe-inline' 'self' *.wikimedia.org; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content
The implementation for this is https://github.com/wpcomvip/wikimedia-techblog/blob/master/client-mu-plugins/techblog-csp.php