Content Security Policy (CSP)
Open, MediumPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Dec 30 2010, 12:12 PM

Description

Imported from bugzilla.wikimedia.org (original author: seather).

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks and unintentional privacy policy violations. Including:

Reduce Cross Site Scripting (XSS) and data injection attacks.
Avoid accidental loading of images, fonts, styles or other resources from third-party domains.

https://developer.mozilla.org/en/Introducing_Content_Security_Policy
https://www.w3.org/TR/CSP/

Enabling CSP is as easy as configuring your web server to return the Content-Security-Policy HTTP header.

Other products jumping on the band wagon:

phpMyAdmin: http://www.phpmyadmin.net/documentation/changelog.php ("[core] Include Content Security Policy HTTP headers.")
MantisBT: http://www.mantisbt.org/blog/?p=119 ("As Firefox 4 has been pushed back to early 2011 we have more time to finish off the implementation of X-Content-Security-Policy within MantisBT.")
GitHub: http://githubengineering.com/githubs-csp-journey

Details

Reference: bz26508

Related Objects
Search...

Status	Subtype	Assigned	Task
Declined		None	T165455 Go from "E" to "A+" on Securityheaders.io
Open		None	T28508 Content Security Policy (CSP)
Open		None	T117618 Add restrictive CSP to upload.wikimedia.org
Open		None	T239065 Have final CSP policy for upload.wikimedia.org be in report-only mode for all projects
Open		None	T239066 Engage with users about enforced CSP policy on upload.wikimedia.org
Open		None	T239068 Set CSP to enforce across all of upload.wikimedia.org
Open		None	T135963 Add support for Content-Security-Policy (CSP) headers in MediaWiki
Resolved		Krinkle	T196923 CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox)
Open		None	T120888 Create optional XSS filter step for the parser
Declined		None	T208191 Set hhvm.virtual_host[default][always_decode_post_data] = false
Invalid		None	T209022 current CSP testing policy would block frames
Open		None	T208188 RFC: Partial opt-out method for Content security policy
Open	Feature	None	T327588 Consider adding more CSP directives to MediaWIki core
Resolved		fgiunchedi	T166229 Mediawiki replies with 500 on wrongly formatted CSP report
Resolved		Bawolff	T214743 Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain)
Open		None	T249513 CSP report-uri is deprecated
Open		None	T239077 Define policy aspects of CSP on wiki
Open		None	T239061 Adopt CSP policy for microsites
Open		None	T248808 Add CSP policy to installer
Open		None	T246639 Consider sending restrictive CSP in cases where $wgOut->disable() is called and scripting not needed
Open		None	T239069 Give MW a .htaccess in the images directory to mirror Wikimedia's CSP settings
Open		None	T211971 Check for maps features that might be affected with CSP policy
Open		None	T288225 Remove need for $wgExtensionFunction to configure CSP in MediaWiki
Open		None	T264196 CSP blocking favicon.ico
Open		None	T239078 Deploy CSP policy in enforce mode for MW to logged out users
Declined	BUG REPORT	None	T338790 Modify the Beta Wiki CSP to allow localhost:*
Open		None	T353816 Fix or remove $wmgUseCSPReportOnlyHasSession (CSP only for logged-in users)

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 9 2015, 9:03 AM

Bawolff mentioned this in T117618: Add restrictive CSP to upload.wikimedia.org.Nov 3 2015, 11:01 PM

Nemo_bis added a project: OKR-Work.Mar 13 2016, 10:15 AM

Krinkle added a subtask: T117618: Add restrictive CSP to upload.wikimedia.org.Apr 13 2016, 9:26 PM

Krinkle updated the task description. (Show Details)Apr 13 2016, 9:32 PM

Krinkle added a project: Security-Team.

Krinkle updated the task description. (Show Details)

Dinacel subscribed.May 22 2016, 4:53 PM

Bawolff mentioned this in T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.May 23 2016, 1:16 AM

Jdforrester-WMF added a subtask: T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.May 23 2016, 3:26 PM

Jdforrester-WMF mentioned this in T138604: Writing manual </div>s into header/footer using VisualEditor with ProofreadPage corrupts the page.Jun 24 2016, 3:56 PM

fgiunchedi created subtask T166229: Mediawiki replies with 500 on wrongly formatted CSP report.May 24 2017, 1:06 PM

matmarex closed subtask T166229: Mediawiki replies with 500 on wrongly formatted CSP report as Resolved.May 29 2017, 5:42 PM

Nirmos subscribed.Sep 19 2017, 12:17 PM

[15:18:19] <Reedy> https://twitter.com/Scott_Helme/status/962684239975272450
[15:18:21] <Reedy> This is fun
[23:33:32] <bd808> Reedy: crap like that is why we need CSP headers on the wikis

Quiddity subscribed.Mar 14 2018, 9:19 PM

Volker_E subscribed.Mar 28 2018, 3:48 PM

AndyRussG added a project: Front-end-Standards-Group.Mar 28 2018, 3:49 PM

AndyRussG subscribed.

alaa subscribed.May 10 2018, 3:49 AM

Will I as a gadget author have access to the violation reports for svwiki?

Reedy mentioned this in T200187: Support at least one editable open slides format on Commons.Jul 23 2018, 11:03 AM

In T28508#4212646, @Nirmos wrote:

Will I as a gadget author have access to the violation reports for svwiki?

Not currently (As it may contain private data). We will need to find some way to get that info to gadget authors. The initial rollout will just change sources but still allow unsafe-inline, so it shouldn't affect too much.

BethNaught subscribed.Aug 19 2018, 10:22 PM

Bawolff moved this task from Incoming to Epics in progress on the Security-Team board.Sep 4 2018, 4:19 PM

sbassett subscribed.Sep 14 2018, 7:11 PM

RP88 subscribed.Sep 14 2018, 10:54 PM

Schnark subscribed.Sep 15 2018, 7:50 AM

@Bawolff I'd like to get svwiki in report-only mode. Should I start a discussion with the community about this now, or is it way too early?

MusikAnimal subscribed.Oct 22 2018, 4:39 PM

In T28508#4669270, @Nirmos wrote:

@Bawolff I'd like to get svwiki in report-only mode. Should I start a discussion with the community about this now, or is it way too early?

Awesome. Thank you for volunteering. Actually do to certain circumstances, we are planning to expediate rolling out test mode to logged in users, so it should be happening for svwiki very soon.

See also T207900

Nirmos mentioned this in T208140: Detect/flag potentially malicious gadget/javascript edits .Oct 27 2018, 5:29 PM

I can't edit a certain page in ruwiki (https://ru.wikipedia.org/wiki/%D0%A1%D0%B1%D0%BE%D1%80%D0%BD%D0%B0%D1%8F_%D0%AF%D0%BF%D0%BE%D0%BD%D0%B8%D0%B8_%D0%BF%D0%BE_%D1%80%D0%B5%D0%B3%D0%B1%D0%B8-7 ) because of tons of errors related to Content Security Policy/CORS policy in browser console

2010 edit toolbar doesn't displayed, when I click on "Save" button, nothing happens, when I click preview, I got an error "HTTP error: error". Chrome (last release version), Monobook. There are not this issue in Firefox. Other pages can be edited.

MBH raised the priority of this task from Medium to High.Nov 14 2018, 3:37 PM

@MaxBioHazard CSP is in test only mode - which means it puts errors in the console, but doesn't actually do anything (yet). Any issues you are having is not caused by the CSP warnings.

That said, something looks wrong here, as many of the csp report urls for your user are for things that should be allowed under the CSP policy. (The only one's that seem valid are the blocks for dl.metabar.com).

I would say that its either some sort of browser bug, or a problem with an add-on that you have installed in your browser.

As an aside, this is the bug about long-term rollout plans for CSP. Issues encountered related to CSP should be filed as separate bugs.

I updated Chrome to version 70.0.3538.102 and this doesn't happen now.

@Bawolff where you see dl.metabar.com on my screenshots? I want to know what of my userscripts accesses this URL.

In T28508#4749602, @MaxBioHazard wrote:

I updated Chrome to version 70.0.3538.102 and this doesn't happen now.

@Bawolff where you see dl.metabar.com on my screenshots? I want to know what of my userscripts accesses this URL.

We record CSP reports. (Part of the reason we have csp in report only mode is to discover what would break if we turn it on). That was listed for your user in our csp reports database. I think that domain is associated with a browser plugin [maybe a yandex plugin] (some poorly written browser plugins are subject to the websites CSP policy, which really doesnt make sense) and not with a user script.

I don't have any Yandex plugin. I have only 4 enabled browser extensions: Google Translate, uBlock Origin, View Image (a small ext for Google Pictures) and a bypass of Russian state Internet censorship (https://chrome.google.com/webstore/detail/%D0%BE%D0%B1%D1%85%D0%BE%D0%B4-%D0%B1%D0%BB%D0%BE%D0%BA%D0%B8%D1%80%D0%BE%D0%B2%D0%BE%D0%BA-%D1%80%D1%83%D0%BD%D0%B5%D1%82%D0%B0/npgcnondjocldhldegnakemclmfkngch). Wiki[pm]edia is whitelisted in uBlock settings.

Amorymeltzer subscribed.Nov 17 2018, 7:00 PM

Jgreen mentioned this in T202290: test and deploy payments on Debian Stretch/PHP7.0.Jan 25 2019, 10:28 PM

Krenair added a subtask: T214743: Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).Jan 26 2019, 12:41 AM

API returns warnings about Unrecognized parameters at Wikimedia Commons.

{"warnings":{"main":{"*":"Unrecognized parameters: {\"csp-report\":{\"blocked-uri\":\"https://tools_wmflabs_org/convert/svg2png_php\",\"document-uri\":\"https://commons_wikimedia_org/w/index_php?title, withJS."}},"cspreport":"success"}

The warning message indicates the title and withJS parameters are unknown?

In T28508#5001266, @Rillke wrote:
API returns warnings about Unrecognized parameters at Wikimedia Commons.
{"warnings":{"main":{"*":"Unrecognized parameters: {\"csp-report\":{\"blocked-uri\":\"https://tools_wmflabs_org/convert/svg2png_php\",\"document-uri\":\"https://commons_wikimedia_org/w/index_php?title, withJS."}},"cspreport":"success"}
The warning message indicates the title and withJS parameters are unknown?

See T208191. Its a known issue with HHVM. It might be fixed automatically as we move to php7 or I might write a work around patch. Note, even with the warnings, the cspreport should have been recorded just fine.

sbassett mentioned this in T218091: Security Team quarterly check in for April - June 2019.Apr 19 2019, 7:02 PM

Aklapper mentioned this in T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?.May 21 2019, 9:09 PM

Is there a planned "target" CSP to which we should be working? Something like:

content-security-policy:
    default-src commons.wikimedia.org incubator.wikimedia.org meta.wikimedia.org login.wikimedia.org species.wikimedia.org wikimania.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org blob: 'self';
    script-src www.mediawiki.org meta.wikimedia.org 'nonce-1234567890ABCDEF' 'strict-dynamic' 'unsafe-inline' 'self';
    style-src *.wikimedia.org 'unsafe-inline' 'self' data:;
    img-src  upload.wikimedia.org data:;
    media-src  upload.wikimedia.org;
    object-src 'none';
    base-uri 'self'

Esanders mentioned this in T230124: Remove all now defunct AddThis gadgets from WMF wikis (previously a violation of the privacy policy).Aug 8 2019, 12:10 PM

Ejegg mentioned this in T229607: Look into CSP changes in core.Aug 9 2019, 1:45 PM

• Mholloway subscribed.Sep 18 2019, 10:54 PM

• Jcross moved this task from Epics in progress to In Progress on the Security-Team board.Sep 23 2019, 4:07 PM

• Jcross moved this task from In Progress to Waiting on the Security-Team board.

• Mholloway mentioned this in T230811: Add appropriate security headers to MachineVision.Sep 30 2019, 7:00 PM

Jdforrester-WMF closed subtask T214743: Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain) as Resolved.Oct 28 2019, 4:25 PM

Bawolff added a project: ContentSecurityPolicy.Nov 3 2019, 10:11 AM

• chasemp moved this task from Waiting to Watching on the Security-Team board.Dec 2 2019, 8:57 PM

DanielFriesen unsubscribed.Dec 2 2019, 8:59 PM

Xover subscribed.Dec 20 2019, 5:44 PM

Isaac mentioned this in T242176: Launch experimental API for Wikidata-based topic model.Jan 24 2020, 4:17 PM

DannyS712 subscribed.Feb 3 2020, 9:16 AM

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM

• jbolorinos-ctr subscribed.Sep 2 2020, 7:32 PM

Justin_C_Lloyd subscribed.Mar 4 2021, 8:12 PM

This will torpedo my gadget development workflow as documented here: https://en.wikisource.org/wiki/User:Inductiveload/Script_development

Having to save every edit to user JS (or CSS) on-wiki before you can see it (and also having to convince the Wiki and the browser to clear the cache) is incredibly painful.

If CSP is going to happen, would it be possible to allow users to opt-in to localhost in the CSP on a specific port:

If the user's localhost is serving malicious JS on a specific port, the user is already out of luck, because an untrusted program is running on their machine already
If the user's localhost is serving accidentally exploitable JS from some other application, the user won't be able to start their server on that port and will change the port or find the misbehaving application
The user still won't be able to load malicious JS from other domains (except by proxying though localhost, which will only affect themselves, because 1) they have to opt-in in their account and 2) they have to be browsing from localhost)
No one will be able to load malicious or privacy-breaching (cross-domain) JS for anyone else, even if other people load that user's userscripts that attempt to.
Having this opt-in seriously reduces the surface of users who could even run into such events in the first place (probably 1 in a million readers of WMF wikis will enable this)

I think T208188: RFC: Partial opt-out method for Content security policy is probably what you're looking for.

From T208188 it's only about CSP for accessing data APIs, not JS:

The allowance is only for sending and receiving data. Not for importing executable JavaScript code.

While enWS does have several gadgets that make use of external APIs (in particular the IA data API), these can be proxied via Toolforge, so as long as that works, then it is a hassle/barrier to entry to the gadgets to but ultimately fine.

The comment above is about allowing the use of executable JS via something like mw.loader.load( 'https://localhost:12345/script.js' ); to avoid having to save a wiki page on every singe iteration and make sure caches for that JS are flushed (because you can serve with no-cache set, so it only keeps the local JS out of the cache, not everything on the page).

• Mholloway unsubscribed.Jun 15 2021, 1:33 AM

AntiCompositeNumber subscribed.Oct 28 2021, 1:02 AM

Chlod subscribed.Feb 12 2022, 11:45 AM

Ladsgroup subscribed.Dec 16 2022, 11:10 AM

bd808 added a subtask: T239077: Define policy aspects of CSP on wiki.Jun 7 2023, 7:33 PM

bd808 added a subtask: T239061: Adopt CSP policy for microsites.Jun 7 2023, 7:35 PM

bd808 added a subtask: T327588: Consider adding more CSP directives to MediaWIki core .

bd808 added a subtask: T248808: Add CSP policy to installer.

bd808 added a subtask: T246639: Consider sending restrictive CSP in cases where $wgOut->disable() is called and scripting not needed.Jun 7 2023, 7:38 PM

bd808 added a subtask: T239069: Give MW a .htaccess in the images directory to mirror Wikimedia's CSP settings.

bd808 added a project: Epic.Jun 7 2023, 7:41 PM

bd808 added a subtask: T211971: Check for maps features that might be affected with CSP policy.