The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to default-src to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set default-src: none in the future.
Current support
directive | ? | notes |
---|---|---|
default-src | Configurable since MW 1.35 through $wgCSPHeader and MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc() | |
script-src | Configurable since MW 1.35 through $wgCSPHeader and MediaWiki\Request\ContentSecurityPolicy::addScriptSrc() | |
style-src | Configurable since MW 1.35 through $wgCSPHeader and MediaWiki\Request\ContentSecurityPolicy::addStyleSrc() | |
image-src | Configurable since MW 1.35 through $wgEnableImageWhitelist and $wgAllowExternalImagesFrom, no direct PHP method to add src. | |
object-src | Configurable since MW 1.35 through $wgCSPHeader, no PHP method to add src. | |
Potential additions
directive | ? | notes |
CSP Level 1 | ||
connect-src | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests, such as UploadWizard (T278472). | |
font-src | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | |
media-src | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as TimedMediaHandler. | |
frame-src | Defines valid sources for loading frames. Useful for extensions such as EmbedVideo. Note that it was once deprecated in favor of the child-src directive at CSP level 2, but undeprecated again in level 3. | |
sandbox | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | |
CSP Level 2 | ||
base-uri | Defines valid sources of <base> element | |
child-src | Similar to frame-src. | |
frame-ancestors | Specify what parent source may embed a page. A more granular version of X-Frame-Options HTTP header. | |
CSP Level 3 | ||
manifest-src | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | |
worker-src | For service worker. Same as above | |
I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below!
See also
Related: T135963