Page MenuHomePhabricator
Create Task
Maniphest T419684

Add restrictive CSP to auth.wikimedia.org
Open, Needs TriagePublic
Actions

Description

auth.wikimedia.org has restricted functionality and no user JS, so it doesn't need to support external resources and could just use an aggressive CSP (e.g. no eval, no external domains other than the canonical domain). Since the XSS threat surface is much smaller than for normal wikis, this is low stakes, but could be an easy-to-implement defense in depth (and also a marginal performance improvement - our standard CSP headers are now at 3K).

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT28508 Content Security Policy (CSP)
 OpenNoneT419684 Add restrictive CSP to auth.wikimedia.org

Event Timeline

Tgr created this task.Mar 11 2026, 11:45 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 11 2026, 11:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr renamed this task from Add aggressive CSP for auth.wikimedia.org to Add restrictive CSP to auth.wikimedia.org.Mar 11 2026, 11:45 AM
Tgr added a parent task: T28508: Content Security Policy (CSP).
Tgr updated the task description. (Show Details)
Nirmos subscribed.Mar 11 2026, 12:28 PM
Ladsgroup awarded a token.Mar 12 2026, 9:58 AM
Ladsgroup subscribed.
pmiazga moved this task from Inbox, needs triage to Needs refinement on the MediaWiki-Platform-Team board.Mar 17 2026, 4:01 PM
pmiazga subscribed.

Moving to needs refinement as it requires a discussion on whether we're doing this this quarter.

KockaAdmiralac subscribed.Apr 8 2026, 6:54 PM
sbassett moved this task from Backlog to Wikimedia CSP exceptions / config on the ContentSecurityPolicy board.May 6 2026, 2:51 PM
A_smart_kitten added a project: SUL3.May 6 2026, 4:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits