70941efd35
The primary goal here is a defense in depth measure to stop an attacker who found a bug in the parser allowing them to insert malicious attributes. This wouldn't stop someone who could insert a full script tag (since at current it can't distinguish between malicious and legit user js). It also would not prevent DOM-based or reflected XSS for anons, as the nonce value is guessable for anons when receiving a response cached by varnish. However, the limited protection of just stopping stored XSS where the attacker only has control of attributes, is still a big win in my opinion. (But it wouldn't prevent someone who has that type of xss from abusing things like data-ooui attribute). This will likely break many gadgets. Its expected that any sort of rollout on Wikimedia will be done very slowly, with lots of testing and the report-only option to begin with. This is behind feature flags that are off by default, so merging this patch should not cause any change in default behaviour. This may break some extensions (The most obvious one is charinsert (See fe648d41005), but will probably need some testing in report-only mode to see if anything else breaks) This uses the unsafe-eval option of CSP, in order to support RL's local storage thingy. For better security, we may want to remove some of the sillier uses of eval (e.g. jquery.ui.datepicker.js). For more info, see spec: https://www.w3.org/TR/CSP2/ Additionally see: https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy Bug: T135963 Change-Id: I80f6f469ba4c0b608385483457df96ccb7429ae5 |
||
|---|---|---|
| .. | ||
| code-coverage | ||
| databases | ||
| html | ||
| kss | ||
| php-memcached | ||
| uidesign | ||
| contenthandler.txt | ||
| database.txt | ||
| deferred.txt | ||
| design.txt | ||
| distributors.txt | ||
| doxygen_first_page.php | ||
| export-0.1.xsd | ||
| export-0.2.xsd | ||
| export-0.3.xsd | ||
| export-0.4.xsd | ||
| export-0.5.xsd | ||
| export-0.6.xsd | ||
| export-0.7.xsd | ||
| export-0.8.xsd | ||
| export-0.9.xsd | ||
| export-0.10.xsd | ||
| export-demo.xml | ||
| extension.schema.v1.json | ||
| extension.schema.v2.json | ||
| globals.txt | ||
| hooks.txt | ||
| injection.txt | ||
| language.txt | ||
| linkcache.txt | ||
| logger.txt | ||
| magicword.txt | ||
| maintenance.txt | ||
| memcached.txt | ||
| ontology.owl | ||
| README | ||
| schema.txt | ||
| scripts.txt | ||
| sitelist-1.0.xsd | ||
| sitelist.txt | ||
| sitescache.txt | ||
| skin.txt | ||
| title.txt | ||
/docs Directory README ====================== The 'docs' directory contain various text files that should help you understand the most important parts of the code of MediaWiki. More in-depth documentation can be found at: https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Code https://www.mediawiki.org/wiki/Special:MyLanguage/Developer_hub API documentation is automatically generated and updated daily at: https://doc.wikimedia.org/mediawiki-core/master/php/html/ You can get a fresh version using 'make doc' or mwdocgen.php in the ../maintenance/ directory. For end users, most of the documentation is located online at: https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents Documentation for MediaWiki site administrators is at: https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Contents