Page MenuHomePhabricator

Production wikis are no longer in report-only mode
Open, Needs TriagePublic


I can't find any Phabricator task about this, so I'm not sure if this is intended. I'll note that in it says

'wmgUseCSPReportOnlyHasSession' => [
	'default' => true,

so this seems like an unintentional regression to me. I also can not see any assignment to wmgUseCSPReportOnlyHasSession in that would override the 'default' => true from InitialiseSettings.

Event Timeline

Nirmos created this task.Jun 16 2020, 1:35 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 16 2020, 1:35 PM

Maybe I should add that this worked in January. There are two CSP-related patches to CommonSettings since then. First on February 25 and then on March 16. Neither patch makes any mention of removing the existing report-only for production wikis in their commit messages.

Can you give an example page which is issuing a content-security-policy and not a content-security-policy-report-only header? I only get the latter on testwiki and mediawikiwiki, and I get neither on enwiki or commonswiki (connecting from Europe via esams).

Reedy added a subscriber: Reedy.Jun 16 2020, 4:29 PM
reedy@deploy1001:~$ mwscript eval.php enwiki
> var_dump( $wmgUseCSPReportOnlyHasSession );
bool(true) has a content-security-policy header, but no content-security-policy-report-only header. has a content-security-policy-report-only header, but no content-security-policy header. does not have any CSP header.

Jdforrester-WMF closed this task as Invalid.Jun 16 2020, 5:13 PM

Yes, so that's behaving as expected? wmgUseCSPReportOnlyHasSession true for all wikis, wmgUseCSPReportOnly true only for group0 and smalls, and wmgUseCSP is true only for Beta Cluster wikis.

Nirmos reopened this task as Open.Jun 16 2020, 7:16 PM
Nirmos added a project: Regression.

svwiki used to be in report-only. It no longer is. It has broken recently (this year). None of the patches I link to indicate that this is intentional.

Was entirely removing CSP headers from $wmgUseCSPReportOnlyHasSession wikis intentional? Because rOMWC203f468dcdf3: Make CSP enforce on beta appears to have had that effect.