Topic on Project:Support desk

Compare the MediaWiki home page (lines 6, 7, 302 in the source file): MediaWiki and the Wikipedia home page (lines 6,7, 444 in the source file) . The MediaWiki page has added the "nonce" attribute to the script tags so that, I presume, they can enforce a Content Security Policy on their site. I would like to do the same.

Which files do I need to edit to add a nonce attribute to precisely the same script tags as the MediaWiki admins have done? I have tried to grep for the script tags in my installation directory (MediaWiki 1.30.0) but blindly changing some of the script tag matches that I found did not make their way onto my site's home page.

Secondly, how have they added those nonce attributes? Primarily I would like to know where to edit the files, but it would be helpful to also know what to do. But I can always learn this myself; just to know where to make the edits is my primary concern.

Any help would be appreciated. I have tried searching for this information, but have found nothing. Thanks.

There is no way to successfully use this feature in MediaWiki 1.30, sorry. It's currently experimental and being worked on for Wikimedia production, and may get working well enough to recommend for third party use with MediaWiki 1.32. You can follow progress on T28508 if you wish.

Ah, I see. That's annoying. I downloaded the latest 1.32 snapshot just to poke around and there was a file includes/ContentSecurityPolicy.php. There also seem to be references in other files too. Hopefully this will mean the MediaWiki 1.32 release will have something I can use.

Thank you very much.

I am the author of the CSP stuff, and I am super pumped that there's interest from other people in this.

We're still very much in the testing stags, but at the very least I intend to try and get CSP in enforce mode on https://test.wikipedia.org by the end of the week.

None of the code is particularly version dependent (And in fact the original version of the patch was for a much older version of MW ), so you could potentially try and backport the patches to your version, however doing so is not officially supported and you won't get any support if running a customized version of MW source.

That said, if you have any feedback I'd love to hear it.

Hi Bawolff

I am very much interested in this CSP stuff, and so it is great to get a response from the author of these additions; thanks a lot for replying!

So to give some idea of what I tried, as a start I simply did a grep for the script tags in question and tried to locate the code that was setting them. Finding a few functions and using the 1.32 code as a guide I could add the nonce attribute to these functions directly just to see if I could get something working. This did indeed work, although it was ugly.

The problem was there was another script that was being called and since I really have no idea how MediaWiki operates I would have to have dug a lot deeper into the source files and figure out what was going on behind the scenes. I decided at this point to maybe wait for 1.32+ instead, seeing as I planned a server upgrade in 6 months time anyway :)

But, with the commit you linked to I can see exactly what functions need to be patched. Thanks!

I will attempt to patch the version I have at some point before the weekend and see how it goes. If I get it working then I may have feedback (prob nothing of any import since you will know far more than me on how it all works; much more likely is that something will go wrong and I will need help!).

But I will report back how it goes in any case. I think this functionality really should be available to MediaWiki operators in some way, so good for you for having done this.

Thanks again!