User:Bawolff/CSP-mar26

This is a rough document on what's left to do for CSP:

restricting load sources on wikis

 * Various patches related to Special:ContentSecurityPolicyExceptions need to be merged:
 * Once those are merged, new table has to be created
 * Config has to change to enable feature. Original plan was to also have a ContentSecurityPolicyValidateUserException hook to forbid whitelisting tools.wmflabs.org (without a path part) or *.wmflabs.org. The idea being users can whitelist a specific tool, but we should avoid allowing whitelisting all of cloud, as lots of people might do that, but anyone can make a new tool/cloud project.
 * Need a policy document for what is and is not ok to do in terms of loading external resources (aka external scripts never ok, but loading external data ok with consent)
 * Need to do lots of outreach. Need to outreach to users, gadget authors. Should also specifically outreach to make the top 5 or so most common external script loads stop doing that, as there are only a few very common violations
 * Eventually, switch to enforce mode on test wiki
 * Switch to enforce mode everywhere

Mitigating risk for user provided images

 * https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/547929/
 * Do some minor outreach, and make enforce on upload.wikimedia.org
 * Output CSP headers on img_auth.php and anything else that streams files from the main domain [Also, img_auth.php really should be disabled on public prod wikis]. - https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/575993/

Other stuff

 * Eventual preference to enable nonce mode for users who want "high security". Perhaps eventually be on by default with an opt out for legacy
 * Put CSP headers everywhere (error pages etc. Also other minor domains).