Page MenuHomePhabricator

Disallow external JavaScripts at svwiki
Open, Stalled, LowPublic

Description

Hi, I'm one of the interface admins at svwiki. I'd like to have CSP enforced at svwiki, or at least prevent external scripts from running, if full on CSP enforcement is deemed too controversial or too early. I'm not 100% sure how CSP configuration works. Is it possible to enforce prevention of external scripts while keeping everything else report-only? If so, then that might be a good start if people feel like blocking non-script external resources does more harm than help.

At Swedish Wikipedia I have rewritten several gadgets (like Geonotice, Namespace-sensitiveEdittools and collapsibleTables) to not use javascript: URIs and onClick attributes, although I understand that that's not necessary yet. In October 2018 when the console warnings appeared I removed Wikiminiatlas as an available gadget and explained why on the village pump. No one complained about this, and I think this was the only gadget that broke the defined policies.

Event Timeline

Nirmos created this task.Jun 7 2020, 10:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2020, 10:53 PM
Reedy added a subscriber: Reedy.Jun 7 2020, 11:06 PM

Is it possible to enforce prevention of external scripts while keeping everything else report-only?

What do you mean by everything else?

Is it possible to enforce prevention of external scripts while keeping everything else report-only?

What do you mean by everything else?

The other types of resources, like styles, images, frames, fonts, etc.

Urbanecm added a subscriber: Urbanecm.

i guess this needs secteam vetting

sbassett moved this task from Incoming to Watching on the Security-Team board.EditedJun 22 2020, 3:26 PM
sbassett added a subscriber: sbassett.

The Security-Team's position on this is that we'd like to wait a bit longer until we can develop a more cohesive and generalized means of deploying enforcing CSPs across a majority/all of the projects, largely to avoid the potential for 900+ separate CSP configs. If this particular issue is not an emergency, which it does not appear to be, then we'd prefer to wait. Also, it's important to note that CSP, while powerful and beneficial in many ways, isn't a foolproof security measure.

Urbanecm changed the task status from Open to Stalled.Aug 20 2020, 11:20 AM
Urbanecm triaged this task as Low priority.