With the disclaimer that I'm not a security engineer and that I understand only parts of this proposal, in general this strikes me as a good idea. It seems to me that trying to develop a comprehensive list of what tools / scripts this proposal would likely break, how important those breaks are, and who could fix them and when, would help with developing a roadmap toward implementing this proposal with appropriate mitigation and communication.
It seems to me that this is the kind of project for which product community liasons are well suited to help with developing and implementing a rollout plan. Is there any chance of getting a CL to help with this project? Thanks for the initiative, Pine Pine On May 22, 2016 18:18, "Brian Wolff" <bawo...@gmail.com> wrote: > So the RFC process page says I should email wikitech-l to propose an RFC, > thus: > > Content-Security-Policy (CSP) header is a header that disables certain > javascript features that are commonly used to exploit XSS attacks, in > order to mitigate the risks of XSS. I think we could massively benefit > from using this technology - XSS attacks probably being the most > common security issue in MediaWiki. The downside is that it would > break compatibility with older user scripts. > > Please see the full text of my proposal at > https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy > > The associated phabricator ticket is: > https://phabricator.wikimedia.org/T135963 > > I'd appreciate any comments anyone might have. > > Thanks, > Brian > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
