BBlack has submitted this change and it was merged. Change subject: Add Content-Security-Policy to images from test[2]wiki ......................................................................
Add Content-Security-Policy to images from test[2]wiki Do not deploy until after 1.28wmf9 is on testwiki. This add Content security policy for images in report only mode, for images uploaded to test/test2. This is meant as part of the testing phase before more widely deploying CSP on uploaded media. See https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy for details. The (eventual) security goal is an extra layer of defense against SVGs with embedded malicious javascript or tracking pixels. The header this adds is: Content-Security-Policy-Report-Only: default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data:; media-src data:; sandbox; report-uri https://test.wikipedia.org/w/api.php?reportonly=1&src=image"; (And variants with X- and X-Webkit) Bug: T117618 Change-Id: I75e8d3bc0901b5f75b8ef81637e60bc40b6d3ef3 --- M templates/varnish/upload-frontend.inc.vcl.erb 1 file changed, 8 insertions(+), 0 deletions(-) Approvals: BBlack: Verified; Looks good to me, approved diff --git a/templates/varnish/upload-frontend.inc.vcl.erb b/templates/varnish/upload-frontend.inc.vcl.erb index edf168b..bad64da 100644 --- a/templates/varnish/upload-frontend.inc.vcl.erb +++ b/templates/varnish/upload-frontend.inc.vcl.erb @@ -130,6 +130,14 @@ // JavaScript with a different origin to access resource timing info // (e9cbfd539edd3). See <https://phabricator.wikimedia.org/T76020>. set resp.http.Timing-Allow-Origin = "*"; + + // Restrict uploads from loading external resources. (T117618) + // Currently experimental and testing on test/test2.wikipedia.org only. + if (req.url ~ "^/wikipedia/test") { + set resp.http.Content-Security-Policy-Report-Only = "default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data:; media-src data:; sandbox; report-uri https://test.wikipedia.org/w/api.php?reportonly=1&src=image";; + set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only; + set resp.http.X-Webkit-CSP-Report-Only = resp.http.Content-Security-Policy-Report-Only; + } } sub cluster_fe_err_synth { -- To view, visit https://gerrit.wikimedia.org/r/296634 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I75e8d3bc0901b5f75b8ef81637e60bc40b6d3ef3 Gerrit-PatchSet: 4 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Brian Wolff <[email protected]> Gerrit-Reviewer: BBlack <[email protected]> Gerrit-Reviewer: Brian Wolff <[email protected]> Gerrit-Reviewer: Ema <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
