On Sun, May 22, 2016 at 6:17 PM, Brian Wolff bawolff@gmail.com wrote:
Content-Security-Policy (CSP) header is a header that disables certain javascript features that are commonly used to exploit XSS attacks, in order to mitigate the risks of XSS. I think we could massively benefit from using this technology - XSS attacks probably being the most common security issue in MediaWiki. The downside is that it would break compatibility with older user scripts.
Please see the full text of my proposal at https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy
The associated phabricator ticket is: https://phabricator.wikimedia.org/T135963
Hi everyone,
Brian, thanks for starting the discussion about CSP here! We're not yet in the position to make a final call on this, but let's use tomorrow's security-oriented ArchCom-RFC IRC office hour[1] as an opportunity to discuss this one further.
For the rest of y'all: my apologies for the short notice on the meeting tomorrow. The IRC meeting is in Phab as E198; more on that as my next email.
Rob