A partial archive of https://discourse-mediawiki.wmflabs.org as of Saturday May 21, 2022.

Documentation on Implementing CSP Headers

abeason

Is there any published documentation on how to correctly implement CSP headers for a more or less standard Mediawiki install without breaking page formatting? For example some like

X-Content-Security-Policy: allow 'self'; img-src 'self' data:

I have found that enabling CSP headers on my site has led to various degrees of broken formatting.

Since CSP is intended to limit what’s being loaded to vetted/known sources, and since I almost certainly don’t know where everything in the extensions I’m using is coming from, I’m wondering if there is an established best practice for a minimally secure setting for this that doesn’t horribly mangle the appearance of the site.

In practice this is probably not a huge deal, but it does put a dent in the security metrics for the site when it’s scanned/audited.

Tgr

Requests_for_comment/Content-Security-Policy has information on how Wikimedia was planning to configure it.