On Sun, May 22, 2016 at 6:17 PM, Brian Wolff <[email protected]> wrote:
> Content-Security-Policy (CSP) header is a header that disables certain > javascript features that are commonly used to exploit XSS attacks, in > order to mitigate the risks of XSS. I think we could massively benefit > from using this technology - XSS attacks probably being the most > common security issue in MediaWiki. The downside is that it would > break compatibility with older user scripts. > > Please see the full text of my proposal at > https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy > > The associated phabricator ticket is: > https://phabricator.wikimedia.org/T135963 Hi everyone, Brian, thanks for starting the discussion about CSP here! We're not yet in the position to make a final call on this, but let's use tomorrow's security-oriented ArchCom-RFC IRC office hour[1] as an opportunity to discuss this one further. For the rest of y'all: my apologies for the short notice on the meeting tomorrow. The IRC meeting is in Phab as E198; more on that as my next email. Rob _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
