Page MenuHomePhabricator

Production wikis are no longer in report-only mode
Open, Needs TriagePublic

Description

I can't find any Phabricator task about this, so I'm not sure if this is intended. I'll note that in https://phabricator.wikimedia.org/source/mediawiki-config/browse/master/wmf-config/InitialiseSettings.php it says

'wmgUseCSPReportOnlyHasSession' => [
	'default' => true,
]

so this seems like an unintentional regression to me. I also can not see any assignment to wmgUseCSPReportOnlyHasSession in https://phabricator.wikimedia.org/source/mediawiki-config/browse/master/wmf-config/CommonSettings.php that would override the 'default' => true from InitialiseSettings.

Event Timeline

Nirmos created this task.Jun 16 2020, 1:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2020, 1:35 PM

Maybe I should add that this worked in January. There are two CSP-related patches to CommonSettings since then. First https://phabricator.wikimedia.org/rOMWCa31cfb5a177a2cebbf786f74bdde604458a9867c on February 25 and then https://phabricator.wikimedia.org/rOMWC203f468dcdf3f07aa6f2c25bd7486861f8a95af4 on March 16. Neither patch makes any mention of removing the existing report-only for production wikis in their commit messages.

Can you give an example page which is issuing a content-security-policy and not a content-security-policy-report-only header? I only get the latter on testwiki and mediawikiwiki, and I get neither on enwiki or commonswiki (connecting from Europe via esams).

Reedy added a subscriber: Reedy.Jun 16 2020, 4:29 PM
reedy@deploy1001:~$ mwscript eval.php enwiki
> var_dump( $wmgUseCSPReportOnlyHasSession );
bool(true)

https://deployment.wikimedia.beta.wmflabs.org/wiki/Main_Page has a content-security-policy header, but no content-security-policy-report-only header.

https://www.mediawiki.org/wiki/MediaWiki has a content-security-policy-report-only header, but no content-security-policy header.

https://en.wikipedia.org/wiki/Main_Page does not have any CSP header.

Jdforrester-WMF closed this task as Invalid.Jun 16 2020, 5:13 PM

Yes, so that's behaving as expected? wmgUseCSPReportOnlyHasSession true for all wikis, wmgUseCSPReportOnly true only for group0 and smalls, and wmgUseCSP is true only for Beta Cluster wikis.

Nirmos reopened this task as Open.Jun 16 2020, 7:16 PM
Nirmos added a project: Regression.

svwiki used to be in report-only. It no longer is. It has broken recently (this year). None of the patches I link to indicate that this is intentional.

Was entirely removing CSP headers from $wmgUseCSPReportOnlyHasSession wikis intentional? Because rOMWC203f468dcdf3: Make CSP enforce on beta appears to have had that effect.