Page MenuHomePhabricator

add $wgCSPHeader CSP Content Security Policy compatibility with $wgUseFileCache file cache
Closed, InvalidPublic


$wgCSPHeader is currently incompatible with $wgUseFileCache.

Quote $wgCSPHeader:

It is not compatible with $wgUseFileCache

Is this something fixable?

Could the CSP be included in the generated file cache HTML files?

Policy Delivery

CSP can be delivered to the user agent in different techniques.

Content-Security-Policy HTTP response header field. This is the most preferred technique. <meta> HTML element with http-equiv attribute set to Content-Security-Policy. These elements need to be placed as early as possible in the documents.

Event Timeline

adrelanos renamed this task from add $wgCSPHeader CSP Content Security Policy compatbility with $wgUseFileCache file cache to add $wgCSPHeader CSP Content Security Policy compatibility with $wgUseFileCache file cache.Dec 14 2020, 12:46 PM

I am withdrawing this feature request because I am not using MediaWiki FileCache anymore. Using static caching on the server level (such as nginx proxy_cache) is much more efficient and covers much more.

Having the main HTML document cached helps but the bottleneck are the files which are regenerated over and over with PHP which are reference ind the main HTML document with /w/load.php. By using nginx proxy_cache, I managed to have these cached as well, thanks to MediaWiki's great use of Cache-Control (and other) headers. This apparently works great because as far as I understand, Wikipedia doesn't use FileCache either but varnish (which is conceptually approximately similar to nginx proxy_cache).

Anyone who has a different view feel free to re-open this task.