Page MenuHomePhabricator

Proxied requests can change a header
Open, Needs TriagePublic

Description

If a Wiki Farm offers custom domains to it's users (or possibly in other unexplored situations), they can proxy requests through a server which can change the headers, including the CSP, this could cause undesirable security consequences including allowing users to load malicious content.

This is easily doable via the CloudFlare workers proxy system.

Mediawiki offers a $wgContentSecurityPolicy header but it should be enforced in a way that can't be easily hacked and worked around.

Tagging Security-Team due to a recent security-help@ ticket.

cc @Dsharpe so he can copy his comments here

Event Timeline

RhinosF1 created this task.Jun 1 2020, 10:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 1 2020, 10:06 PM
RhinosF1 moved this task from Radar to Miraheze-Linked on the User-RhinosF1 board.Jun 1 2020, 10:07 PM

Discussed in Security team's Clinic meeting. untagging security-team