https://bugzilla.wikimedia.org/show_bug.cgi?id=26508

           Summary: Content Security Policy (CSP)
           Product: MediaWiki
           Version: wikimedia-deployment
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: Normal
         Component: Javascript
        AssignedTo: d...@ucsc.edu
        ReportedBy: seat...@gmail.com
                CC: tpars...@wikimedia.org


Coming in Firefox 4

"Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site Scripting
(XSS) and data injection attacks."

"Enabling CSP is as easy as configuring your web server to return the
X-Content-Security-Policy HTTP header."

Example of change required:
"
* User Agents MUST block:
o The contents of internal <script> nodes
o javascript: URIs, e.g. <a href="javascript:bad_stuff()"> (unless enabled by
policy)
o Event-handling attributes, e.g. <a onclick="bad_stuff()">

* User Agents MUST NOT block:
o Scripts imported from external files whose sources are allowed by the
protected document's policy AND are served with a Content-Type of
application/javascript or application/json. 
"

https://developer.mozilla.org/en/Introducing_Content_Security_Policy
https://wiki.mozilla.org/Security/CSP/Specification
https://wiki.mozilla.org/Security/CSP/Specification#Base_Restrictions

Jumping on the band wagon:

phpMyAdmin
http://www.phpmyadmin.net/documentation/changelog.php
"+ [core] Include Content Security Policy HTTP headers."

MantisBT bugtracking
http://www.mantisbt.org/blog/?p=119
"As Firefox 4 has been pushed back to early 2011 we have more time to finish
off the implementation of X-Content-Security-Policy within MantisBT."

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to