https://bugzilla.wikimedia.org/show_bug.cgi?id=26508
--- Comment #10 from Christian Kujau <li...@nerdbynature.de> --- Firefox & Chrome both have CSP enabled now. A single page load (6k article) gives multiple errors, here's how Chrome articulates this: --- times reported, per page | v 6 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. 6 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. 11 Refused to load the image 'xxx' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback. So, we have 23 CSP violations on a single page. Without a special CSP header for the mediawiki installation, these resources are NOT loaded and the wiki page looks not really pretty. To make these warnings go away, the following CSP would be necessary: "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'", But especially these "unsafe-inline" statemtents are not recommended. So, what can we do about this? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
