Page MenuHomePhabricator
Create Task
Maniphest T327588

Consider adding more CSP directives to MediaWIki core
Open, Needs TriagePublicFeature
Actions

Description

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to default-src to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set default-src: none in the future.

Current support

directive?notes
default-srcConfigurable since MW 1.35 through $wgCSPHeader and MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc()
script-srcConfigurable since MW 1.35 through $wgCSPHeader and MediaWiki\Request\ContentSecurityPolicy::addScriptSrc()
style-srcConfigurable since MW 1.35 through $wgCSPHeader and MediaWiki\Request\ContentSecurityPolicy::addStyleSrc()
image-srcConfigurable since MW 1.35 through $wgEnableImageWhitelist and $wgAllowExternalImagesFrom, no direct PHP method to add src.
object-srcConfigurable since MW 1.35 through $wgCSPHeader, no PHP method to add src.

Potential additions

directive?notes
CSP Level 1
connect-srcApplies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests, such as UploadWizard (T278472).
font-srcDefines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts.
media-srcDefines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as TimedMediaHandler.
frame-srcDefines valid sources for loading frames. Useful for extensions such as EmbedVideo. Note that it was once deprecated in favor of the child-src directive at CSP level 2, but undeprecated again in level 3.
sandboxEnables a sandbox for the requested resource similar to the iframe sandbox attribute.
CSP Level 2
base-uriDefines valid sources of <base> element
child-srcSimilar to frame-src.
frame-ancestorsSpecify what parent source may embed a page. A more granular version of X-Frame-Options HTTP header.
CSP Level 3
manifest-srcFor webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500
worker-srcFor service worker. Same as above

I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below!

See also

Related: T135963

Details

SubjectRepoBranchLines +/-
Set the equivalent frame-ancestors in CSP when X-Frame-Options is setmediawiki/coremaster+43 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

alistair3149 created this task.Jan 21 2023, 10:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 21 2023, 10:31 PM
alistair3149 updated the task description. (Show Details)Jan 21 2023, 10:33 PM
alistair3149 updated the task description. (Show Details)Jan 21 2023, 10:36 PM
TehKittyCat subscribed.Apr 20 2023, 8:14 AM
bd808 added a parent task: T28508: Content Security Policy (CSP).Jun 7 2023, 7:37 PM
alistair3149 updated the task description. (Show Details)Mar 2 2024, 6:45 PM
alistair3149 updated the task description. (Show Details)
gerritbot added a comment.Mar 2 2024, 6:46 PM

Change 1007458 had a related patch set uploaded (by Alistair3149; author: Alistair3149):

[mediawiki/core@master] Set the equivalent frame-ancestors in CSP when X-Frame-Options is set

https://gerrit.wikimedia.org/r/1007458

gerritbot added a project: Patch-For-Review.Mar 2 2024, 6:46 PM
alistair3149 updated the task description. (Show Details)Mar 2 2024, 6:54 PM
alistair3149 updated the task description. (Show Details)Mar 2 2024, 7:01 PM
alistair3149 updated the task description. (Show Details)Mar 2 2024, 7:25 PM
alistair3149 updated the task description. (Show Details)Mar 2 2024, 7:52 PM
Bawolff subscribed.Mar 2 2024, 9:20 PM

object-src is probably not too useful in modern browsers now that <object> is just a glorified iframe. It probably makes sense to just always have that set to 'none'.

alistair3149 updated the task description. (Show Details)Mar 2 2024, 9:55 PM
alistair3149 added a comment.Mar 3 2024, 6:53 PM
In T327588#9593598, @Bawolff wrote:

object-src is probably not too useful in modern browsers now that <object> is just a glorified iframe. It probably makes sense to just always have that set to 'none'.

The current implementation in MW core is to set to none by default, override if manually defined in $wgCSPHeader.

alistair3149 added a parent task: T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.Mar 19 2024, 5:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL