The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future.
**Current support**
| directive | ? | notes
| ----- | ----- | -----
| `default-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#aa24fca3aa7b2d7a01ac418c2cdfca708 | Configurable ]] since MW 1.35
| `script-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a362f3a09428fa882be628adf791d29af | Configurable ]] since MW 1.35
| `style-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a82f029b2b2f2a232fa031866c8773c62 | Configurable ]] since MW 1.35
| `image-src` | {icon check color=green} | [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | Configurable ]] since MW 1.35, but not accessible in PHP
| `object-src` | {icon wikipedia-w color=yellow} | Available since MW 1.35, not sure if it is configurable.
**Potential additions**
| directive | ? | notes
| CSP Level 1
| `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests.
| `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts.
| `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]].
| `frame-src`| | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]].
| `sandbox`| | Enables a sandbox for the requested resource similar to the iframe sandbox attribute.
| CSP Level 2
| WIP
| CSP Level 3
| `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500
| `worker-src` | | For service worker. Same as above
| WIP
I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below!
See also
* https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility
Related: T135963