jenkins-bot has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/341331 )
Change subject: Add other WMF domains to foundationwiki CSP policy for
Special:HideBanners
......................................................................
Add other WMF domains to foundationwiki CSP policy for Special:HideBanners
Pages like [[wmf:Thank_You/en]] include a bunch of images to set
cookies to hide banners on various domains via Special:HideBanners.
This means that at the very least, en.wiki(pedia|news|voyage|quote|...).org
has to be included in the img-src. For good measure, just include
*.<wikimedia domain>.org in the default-src.
Change-Id: Icce522783d80abc0bca6e15e01ab46df41933122
---
M wmf-config/CommonSettings.php
1 file changed, 4 insertions(+), 1 deletion(-)
Approvals:
Thcipriani: Looks good to me, approved
jenkins-bot: Verified
diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index e8248f3..f6aea83 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -3489,9 +3489,12 @@
if ( $wgDBname === 'foundationwiki' ) {
// Foundationwiki has raw html enabled. Attempt to prevent people
// from accidentally violating the privacy policy with external scripts.
+ // Note, we need all WMF domains in here due to Special:HideBanners
+ // being loaded as an image from various domains on donation thank you
+ // pages.
$wgHooks['BeforePageDisplay'][] = function ( $out, $skin ) {
$resp = $out->getRequest()->response();
- $cspHeader = "default-src *.wikimedia.org data: blob: 'self';
script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src
*.wikimedia.org data: 'unsafe-inline' 'self'; report-uri
/w/api.php?action=cspreport&format=none&reportonly=1&source=wmfwiki&";
+ $cspHeader = "default-src *.wikimedia.org *.wikipedia.org
*.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org
*.wikiquote.org *.wikinews.org www.mediawiki.org wikidata.org *.wikivoyage.org
data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval'
'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self'; report-uri
/w/api.php?action=cspreport&format=none&reportonly=1&source=wmfwiki&";
$resp->header( "X-Webkit-CSP-Report-Only: $cspHeader" );
$resp->header( "X-Content-Security-Policy-Report-Only:
$cspHeader" );
$resp->header( "Content-Security-Policy-Report-Only:
$cspHeader" );
--
To view, visit https://gerrit.wikimedia.org/r/341331
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Icce522783d80abc0bca6e15e01ab46df41933122
Gerrit-PatchSet: 3
Gerrit-Project: operations/mediawiki-config
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Florianschmidtwelzow <florian.schmidt.stargatewis...@gmail.com>
Gerrit-Reviewer: Thcipriani <tcipri...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
