Change Details

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future. **Current support** | directive | ? | notes | ----- | ----- | ----- | `default-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#adb65ed85c2fd5d588e376fa71cb488d8 | MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc()]] | `script-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#adb65ed85c2fd5d588e376fa71cb488d8 | MediaWiki\Request\ContentSecurityPolicy::addScriptSrc()]] | `style-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#a83ee2639284e6b3a0012ed4274b5eab4 | MediaWiki\Request\ContentSecurityPolicy::addStyleSrc()]] | `image-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | $wgEnableImageWhitelist]] and [[ https://www.mediawiki.org/wiki/Manual:$wgAllowExternalImagesFrom | $wgAllowExternalImagesFrom ]], no direct PHP method to add src. | `object-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]], no PHP method to add src. **Potential additions** | directive | ? | notes | CSP Level 1 | `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests, such as [[https://www.mediawiki.org/wiki/Extension:UploadWizard | UploadWizard]] (T278472). | `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]]. | `frame-src` | | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]]. Note that it was once deprecated in favor of the `child-src` directive at CSP level 2, but undeprecated again in level 3. | `sandbox` | | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | CSP Level 2 | `child-src` | | Similar to `frame-src`. | `frame-ancestors` | | Specify what parent source may embed a page. A more granular version of `X-Frame-Options` HTTP header. | CSP Level 3 | `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | `worker-src` | | For service worker. Same as above I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below! See also * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility Related: T135963

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future. **Current support** | directive | ? | notes | ----- | ----- | ----- | `default-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#adb65ed85c2fd5d588e376fa71cb488d8 | MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc()]] | `script-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#adb65ed85c2fd5d588e376fa71cb488d8 | MediaWiki\Request\ContentSecurityPolicy::addScriptSrc()]] | `style-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#a83ee2639284e6b3a0012ed4274b5eab4 | MediaWiki\Request\ContentSecurityPolicy::addStyleSrc()]] | `image-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | $wgEnableImageWhitelist]] and [[ https://www.mediawiki.org/wiki/Manual:$wgAllowExternalImagesFrom | $wgAllowExternalImagesFrom ]], no direct PHP method to add src. | `object-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]], no PHP method to add src. **Potential additions** | directive | ? | notes | CSP Level 1 | `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests, such as [[https://www.mediawiki.org/wiki/Extension:UploadWizard | UploadWizard]] (T278472). | `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]]. | `frame-src` | | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]]. Note that it was once deprecated in favor of the `child-src` directive at CSP level 2, but undeprecated again in level 3. | `sandbox` | | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | CSP Level 2 | `base-uri` | | Defines valid sources of `<base>` element | `child-src` | | Similar to `frame-src`. | `frame-ancestors` | | Specify what parent source may embed a page. A more granular version of `X-Frame-Options` HTTP header. | CSP Level 3 | `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | `worker-src` | | For service worker. Same as above I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below! See also * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility Related: T135963

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future. **Current support** | directive | ? | notes | ----- | ----- | ----- | `default-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#adb65ed85c2fd5d588e376fa71cb488d8 | MediaWiki\Request\ContentSecurityPolicy::addDefaultSrc()]] | `script-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#adb65ed85c2fd5d588e376fa71cb488d8 | MediaWiki\Request\ContentSecurityPolicy::addScriptSrc()]] | `style-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]] and [[ https://doc.wikimedia.org/mediawiki-core/master/php/classMediaWiki_1_1Request_1_1ContentSecurityPolicy.html#a83ee2639284e6b3a0012ed4274b5eab4 | MediaWiki\Request\ContentSecurityPolicy::addStyleSrc()]] | `image-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | $wgEnableImageWhitelist]] and [[ https://www.mediawiki.org/wiki/Manual:$wgAllowExternalImagesFrom | $wgAllowExternalImagesFrom ]], no direct PHP method to add src. | `object-src` | {icon check color=green} | Configurable since MW 1.35 through [[ https://www.mediawiki.org/wiki/Manual:$wgCSPHeader | $wgCSPHeader ]], no PHP method to add src. **Potential additions** | directive | ? | notes | CSP Level 1 | `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests, such as [[https://www.mediawiki.org/wiki/Extension:UploadWizard | UploadWizard]] (T278472). | `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]]. | `frame-src` | | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]]. Note that it was once deprecated in favor of the `child-src` directive at CSP level 2, but undeprecated again in level 3. | `sandbox` | | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | CSP Level 2 | `base-uri` | | Defines valid sources of `<base>` element | `child-src` | | Similar to `frame-src`. | `frame-ancestors` | | Specify what parent source may embed a page. A more granular version of `X-Frame-Options` HTTP header. | CSP Level 3 | `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | `worker-src` | | For service worker. Same as above I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below! See also * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility Related: T135963