Change Details

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future. **Current support** | directive | ? | notes | ----- | ----- | ----- | `default-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#aa24fca3aa7b2d7a01ac418c2cdfca708 | Configurable ]] since MW 1.35 | `script-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a362f3a09428fa882be628adf791d29af | Configurable ]] since MW 1.35 | `style-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a82f029b2b2f2a232fa031866c8773c62 | Configurable ]] since MW 1.35 | `image-src` | {icon check color=green} | [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | Configurable ]] since MW 1.35, but not accessible in PHP | `object-src` | {icon wikipedia-w color=yellow} | Available since MW 1.35, not sure if it is configurable. **Potential additions** | directive | ? | notes | CSP Level 1 | `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests. | `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]]. | `frame-src`| | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]]. | `sandbox`| | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | CSP Level 2 | WIP | CSP Level 3 | `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | `worker-src` | | For service worker. Same as above | WIP I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below! See also * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility Related: T135963

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future. **Current support** | directive | ? | notes | ----- | ----- | ----- | `default-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#aa24fca3aa7b2d7a01ac418c2cdfca708 | Configurable ]] since MW 1.35 | `script-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a362f3a09428fa882be628adf791d29af | Configurable ]] since MW 1.35 | `style-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a82f029b2b2f2a232fa031866c8773c62 | Configurable ]] since MW 1.35 | `image-src` | {icon check color=green} | [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | Configurable ]] since MW 1.35, but not accessible in PHP | `object-src` | {icon wikipedia-w color=yellow} | Available since MW 1.35, not sure if it is configurable. **Potential additions** | directive | ? | notes | CSP Level 1 | `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests. | `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]]. | `frame-src` | | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]]. | `sandbox` | | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | CSP Level 2 | `frame-ancestors` || Specify what parent source may embed a page. A more granular version of `X-Frame-Options` HTTP header. | CSP Level 3 | `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | `worker-src` | | For service worker. Same as above | WIP I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below! See also * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility Related: T135963

The current directives included in the MediaWiki core is very limited. Often time wikis and extensions would have to fallback to `default-src` to load certain resources (e.g. fonts, frame, etc.), making the policy less strict thus less secured. It is also the perquisite to set `default-src: none` in the future. **Current support** | directive | ? | notes | ----- | ----- | ----- | `default-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#aa24fca3aa7b2d7a01ac418c2cdfca708 | Configurable ]] since MW 1.35 | `script-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a362f3a09428fa882be628adf791d29af | Configurable ]] since MW 1.35 | `style-src` | {icon check color=green} | [[ https://doc.wikimedia.org/mediawiki-core/master/php/classContentSecurityPolicy.html#a82f029b2b2f2a232fa031866c8773c62 | Configurable ]] since MW 1.35 | `image-src` | {icon check color=green} | [[ https://www.mediawiki.org/wiki/Manual:$wgEnableImageWhitelist | Configurable ]] since MW 1.35, but not accessible in PHP | `object-src` | {icon wikipedia-w color=yellow} | Available since MW 1.35, not sure if it is configurable. **Potential additions** | directive | ? | notes | CSP Level 1 | `connect-src` | | Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. Useful for extensions that make API requests. | `font-src` | | Defines valid sources of font resources (loaded via @font-face). Useful for wikis that use custom webfonts. | `media-src`| | Defines valid sources of audio and video, eg HTML5 <audio>, <video> elements. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:TimedMediaHandler | TimedMediaHandler ]]. | `frame-src` | | Defines valid sources for loading frames. Useful for extensions such as [[ https://www.mediawiki.org/wiki/Extension:EmbedVideo_(fork) | EmbedVideo ]]. | `sandbox` | | Enables a sandbox for the requested resource similar to the iframe sandbox attribute. | CSP Level 2 | WIP| `frame-ancestors` || Specify what parent source may embed a page. A more granular version of `X-Frame-Options` HTTP header. | CSP Level 3 | `manifest-src` | | For webapp manifest. Useful for PWA such as MobileFrontend and potentially T282500 | `worker-src` | | For service worker. Same as above | WIP I might be able to integrate some of these directives into core. However, I am not sure about the current status of CSP and what are the requirements. Please feel free to edit the list and comment below! See also * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility Related: T135963