I just had a brief chat with @hoo, and he noted that we'll have to protect the special page against gadgets that try to exempt themselves via that special page. And of course against external attackers that try to force exemptions via XRF. The very minimum is POST-only and a token, but we may have to force re-authentication. Also, we may want to suppress the loading of gadgets and user scripts on that page, like we do on login and preferences pages.

Another option is to not do this work. I don't see a good justification for letting any users bypass CSP. The ones who will complain the most about this are also the ones who shouldn't be allowed (sysops, interface admins, stewards, …). Yes, toolforge has a number of neat tools, but this is proposing a lot of fiddly work which I don't think adds value.

If the demand is really high, a much simpler alternative would be to have a "blessed scripts" repo that lets proxy scripts for toolforge tools be made available after manual security review on each patch, and which is exposed via docroot from mediawiki.org/magic or whatever.

In T208188#4804551, @Jdforrester-WMF wrote:

If the demand is really high, a much simpler alternative would be to have a "blessed scripts" repo that lets proxy scripts for toolforge tools be made available after manual security review on each patch, and which is exposed via docroot from mediawiki.org/magic or whatever.

Let's not do that, we are already nowhere near able to deal with code review requests, even without having to deal with users who don't speak English and scripts which only make sense in the context of some workflow that only exists on the Zulu Wikisource. Also reviewers tend to force fairly arbitrary and diverse code style requirements on people (which is reasonable when done for a repo with shared maintainership, not so reasonable when the reviewer has no stake in the code ever running, and I'm not sure we could avoid still doing it in that situation).

In T208188#4804551, @Jdforrester-WMF wrote:

Another option is to not do this work. I don't see a good justification for letting any users bypass CSP.

Making it effectively impossible to call to ToolForge from gadgets seriously diminishes the usefulness of ToolForge.

In T208188#4806570, @daniel wrote:

In T208188#4804551, @Jdforrester-WMF wrote:

Another option is to not do this work. I don't see a good justification for letting any users bypass CSP.

Making it effectively impossible to call to ToolForge from gadgets seriously diminishes the usefulness of ToolForge.

Nothing stops a ToolForge-based tool wrapping a Wikimedia wiki page or set of API call; it's just mildly less "cool" for the users to use the tool from tools.wmflabs.org/foo rather than de.wiktionary.org.

One thing I would consider is adding some kind of usage tracking (I think we can do that by having a stricter report-only and a looser full one and including the user id in the report uri) so people can see which URLs they are actually using and which can be removed. Otherwise they will come back after a year and have no clue which domain is for what (assuming we don't limit them to toolforge, those are least reasonably easy to interpret) and so they'll keep collecting dust forever even when the tool is defunct (users rarely remove gadgets that stop working) and will become ripe targets for attack.

However as we are not prepared at this time to disable eval() and variants, people could still get around this if they wanted to.

Or even if they did not want to, if they use something like $.getScript without realizing that that circumvents the CSP policy.

In T208188#4704286, @Bawolff wrote:

assuming full lookup of user groups on all wikis too expensive on every request

I don't see why it would be, it's easily cacheable.

Another suggestion that ive heard is have some sort of friendlier interstitial similar to oauth that people can agree to.

I was just about to suggest that, too. For gadgets it could be part of the enabling process (we might want to move away from the current system of gadget management happening on a slightly customized preferences tabs, although it's not strictly necessary). For user scripts (and as Anomie said above, it's not really realistic to do away with user scripts, short of something like T36958: User-level gadgets (aka "Gadgets 3.0")) we could use SecurityPolicyViolationEvent to trigger the interstitial (sorry Internet Explorer users) or provide an mw.csp.authorize().

(from the IRC meeting)

<duesen> I have a question about transitioning: if I'm usinx gadget X, which did not used to require access to an external resource, but is changed to now require it, what happens? does it break? is it disabled, and I have to re-enable it? how does this happen? how do I notice?

Whenever the CSP whitelist is changed, the gadget gets temporarily disabled for everyone, and they get an echo notification about it (which doesn't go away until you reenable/fully disable)? Would require a third state for gadgets besides enabled / not used, which is probably not hard to do as an ugly hack on top of the existing ugly hack of enabling gadgets via user options. We'd probably want some warnings in the gadget preferences UI, but it is well past time to turn that UI into something more BetaFeatures-like, anyway.

<_joe_> so you can authorize github.com/<someone> if you trust them

(and then several other people commenting about github user paths)

This part of the IRC discussion left me a bit confused. There is nothing interesting a script can do with github.com/<someone>. Either you want to run remote scripts and then it's raw.githubusercontent.com/<someone>, but I thought the plan is to ban all external script loading period (I certainly don't see any use case for allowing it). Or you want the github api, which is api.github.com, paths are generally not prefixed with the username, and anyway what would be the point of limiting GitHub API access to certain repos?

From last week's TechCom meeting:

The current proposal of extending the CSP policy with a dynamically determined list of exemptions from a new database table, managed by the user via a special page seems solid and we found no concerns with this approach.

However, we've been hesitant to put this on Last Call because we want to first make sure that this would suffice from a product perspective. That isn't a decision we can make, and if this has been approved already then a brief note indicating that would suffice. If not, then I think a bit more research and iteration might be required before we can proceed. In particular, because that research could lead you to prefer a different approach.

Two use cases in particular that I (personally) think may need to be considered are:

• Gadgets - This one is probably fairly straight-forward. The gadgets definition format is easy to extend, and the preferences page provides an existing secure venue for an interstitial to ask the user's consent.
• User scripts - This one is tricky. Depending on how we tackle this, it's quite likely to involve significant changes in many areas of MediaWiki that I believe should be discussed in scope of this RFC.

@Bawolff For user scripts, see T208188#4730946 and T208188#4732305 about how exemptions might be added/requested. There's also the story of how/if they would be removed after scripts change internally or are uninstalled.

@Bawolff I see no one have commented here in the last weeks. CSP is enabled for ~3 months and there are important privacy concerns with current situation (T207900#4846582).
Would you mind closing the RFC and breaking this to tasks based on what was agreed here?

This is summary of the above discussion as far as I understand

Core requirements

There is more or less agreement about the requirement from core in sense of DB/UI:

• Define exemptions table

CREATE TABLE /*_*/csp_sources (
	csp_user unsigned int NOT NULL,
	csp_url VARBINARY(255) NOT NULL, /* not csp_domain ; per Daniel's comment */
	csp_timestamp BINARY(14) NOT NULL
);

• Define user interface to enable it

Suggested methods to populate it

Regarding population of this table the following methods were suggested:

I think we should go for degrade gracefully approach mixing the above solutions:

MW Core:

1. Core defines CSP table and simple UI though special page (solution for any MW instance, whether or not gadgets extension is installed; works in IE)
2. SecurityPolicyViolationEvent to popup oauth like dialog for ease of use (no need to access to special page). E.g: document.addEventListener("securitypolicyviolation", (e) => { mw.csp.requestException(featureName=NULL, resources=[e.blockedURI]) }); // "Some unknown script have tried to load external code X. This may pose a security/privacy risk. [Block] [Approve]")

Aside from core solution we can OPTIONALLY (recommended but not required) expose it in a user friendly whenever we want to modify it. lazy gadget/userjs developers who don't define trusted urls gives the core to handle it in less user friendly solution (no feature name).

Extension Gadget:

• Add to gadget-defintions trusted URLs
• Expose the core capabilities: in Gadget section whenever enabling gadget:

onGadgetInstall(gadget) => { mw.csp.requestException(featureName=mw.msg(gadget.name), resources=gadget.trustedUrls) } // "Gadget-X would like to allow to load external resource X. This may pose a security/privacy risk. [Block] [Approve]") }

User scripts:

• Optionally implement

mw.csp.requestException(featureName='MY USER SCRIPT', resources=myTrustedUrls) } } // "MY USER SCRIPT would like to allow to load external resource X. This may pose a security/privacy risk. [Block] [Approve]")

In T208188#4940422, @eranroz wrote:

@Bawolff I see no one have commented here in the last weeks. CSP is enabled for ~3 months and there are important privacy concerns with current situation (T207900#4846582).
Would you mind closing the RFC and breaking this to tasks based on what was agreed here?

Just as an update, I am now working on this in earnest again.

Regarding UI for populating the table, the options seem to be:

• magic comments (/* @trust https://... ) - I'm opposed to this. I think this is too fragile and would involve a lot of complication in parsing these details out. Not to mention, when would the auth flow happen? When the user makes an edit to Special:MyPage/common.js ? How does cross-wiki includes work in this scheme
• gadget-definition - I think this is my favored approach for gadgets.
• SecurityPolicyViolationEvent - I'm not a fan. I worry that this will turn into "automatically say yes without reading". I would prefer that script writers have to explicitly declare external resource usage, so they don't just do it accidentally
• mw.csp.authorize / mw.csp.requestException - yeah I think this would be ok. My only concern is that a flow based on imperative ask for permissions might cause it to happen far away from when the user added the script to their user js, and thus they might not correlate the prompt with which script caused it.
• Special page that users manually add stuff to - I think this might suffice for the initial rollout, as a minimal viable product. Keep in mind that user scripts are an advanced feature that already require much technical knowledge to use. Furthermore, most user scripts do not load external data.

Another question: is the exception table global or perwiki? I think global makes the most sense

An additional concern - ideally, a malicious script looking to either exfiltrate data [To be clear, fully preventing exfiltration is basically impossible, and out of scope. CSP will prevent the obvious methods though] or receive instructions from an external source, should not be able to simply adjust the allow list. Otherwise there wouldn't be much point to having a whitelist. To that end, I would strongly like that adding an entry to the allow list requires the user to re-authenticate, similar to changing an email. This is one of my main motivations for proposing a separate table, instead of just adding a preference.

CREATE TABLE /*_*/csp_sources (
	csp_user unsigned int NOT NULL,
	csp_url VARBINARY(255) NOT NULL, /* not csp_domain ; per Daniel's comment */
	csp_timestamp BINARY(14) NOT NULL
);

Not sure if it was discussed above, but from a security/privacy perspective, it probably makes sense to redact csp_url (or whatever it ends up being) from dumps, etc. so as not to expose those specific resources to potential attackers. In fact, it might make sense to go even further and redact the entire table since I'm not sure how much informational value it has other than to potential attackers. (Not that you can't find similar info just searching users' common.js, etc, this would just be a much easier way to do so.)

In T208188#5691074, @sbassett wrote:

CREATE TABLE /*_*/csp_sources (
	csp_user unsigned int NOT NULL,
	csp_url VARBINARY(255) NOT NULL, /* not csp_domain ; per Daniel's comment */
	csp_timestamp BINARY(14) NOT NULL
);

Not sure if it was discussed above, but from a security/privacy perspective, it probably makes sense to redact csp_url (or whatever it ends up being) from dumps, etc. so as not to expose those specific resources to potential attackers. In fact, it might make sense to go even further and redact the entire table since I'm not sure how much informational value it has other than to potential attackers.

I agree - even without the attack scenario, its basically a glorified user preference, and we treat other user preferences (with minor exceptions) as private user data; i think we should do the same here

In T208188#5688500, @Bawolff wrote:

Just as an update, I am now working on this in earnest again.

Thanks for the update.

In T208188#5688578, @Bawolff wrote:

Regarding UI for populating the table, the options seem to be:

• magic comments (/* @trust https://... ) - I'm opposed to this. I think this is too fragile and would involve a lot of complication in parsing these details out. Not to mention, when would the auth flow happen? When the user makes an edit to Special:MyPage/common.js ? How does cross-wiki includes work in this scheme
• gadget-definition - I think this is my favored approach for gadgets.
• SecurityPolicyViolationEvent - I'm not a fan. I worry that this will turn into "automatically say yes without reading". I would prefer that script writers have to explicitly declare external resource usage, so they don't just do it accidentally
• mw.csp.authorize / mw.csp.requestException - yeah I think this would be ok. My only concern is that a flow based on imperative ask for permissions might cause it to happen far away from when the user added the script to their user js, and thus they might not correlate the prompt with which script caused it.
• Special page that users manually add stuff to - I think this might suffice for the initial rollout, as a minimal viable product. Keep in mind that user scripts are an advanced feature that already require much technical knowledge to use. Furthermore, most user scripts do not load external data.

Agree, I like the KISS approach for special page for initial rollout

Another question: is the exception table global or perwiki? I think global makes the most sense

Global exception table makes more sense IMO. Also in case of a breach it will be slightly easier to invalidate all entries with specific csp_url in 1 query.

Change 557581 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] [WIP] Special page to add exceptions to CSP policy

https://gerrit.wikimedia.org/r/557581

Should it be possible to add a short comment to the exceptions? Otherwise, users will ask themselves why they added an exception several years ago and wonder if they still use it. So I think it would make sense to allow adding a short comment like "exception for script foo" along with the exception.

Question: Why is this being done in a separate table rather than as a user preference (even if it is set using a dedicated special page instead of via preferences)? I.e., why not have the new special page, after ensuring authentication, etc. save a preference?

In T208188#5760085, @DannyS712 wrote:

Question: Why is this being done in a separate table rather than as a user preference (even if it is set using a dedicated special page instead of via preferences)? I.e., why not have the new special page, after ensuring authentication, etc. save a preference?

To make sure it is global and not local, and to ensure that it can't be set via other apis. I suppose both are at least in theory possible to do via user_options but it seemed like a separate table was cleaner.

Note: My patch is now much more complete and awaiting feedback :)

Tagging Platform Engineering to keep in the loop, and possible provide code review.

So the final table structure is

CREATE TABLE /*_*/csp_exceptions (
    cspe_id int unsigned NOT NULL PRIMARY KEY AUTO_INCREMENT,
    -- The global user id. user.user_id in default config. globaluser.gu_id with CentralAuth
    cspe_user int unsigned NOT NULL,
    -- Anything that can be a CSP source. Typically a domain name
    cspe_src varbinary(255) NOT NULL,
    -- foreign key to comment table
    cspe_comment_id bigint unsigned NOT NULL,
    -- Insert timestamp
    cspe_timestamp binary(14)
) /*$wgDBTableOptions*/;

CREATE UNIQUE INDEX /*i*/cspe_user_src ON /*_*/csp_exceptions (cspe_user, cspe_src);

With the idea that the table is global and lives (only) on meta. Some things to consider with this design:

• General scaling assumptions: Most users have 0 entries in this table. A small percentage of power users will have probably around 5 entries in this table. There is a system enforced limit of no more than 40 entries per user.
• Basically all logged in requests for all (SUL) wikis now depend on the meta db. There's a layer of caching in memcache, so its not hit on literally every request, but nonetheless it depends on it.
• cspe_src is likely to be somewhat repetitive. If we were really worried about duplication we could normalize it to a different table
• This uses the comment table.
  • This means that there is cross-wiki writes to the comment table on meta. This should be fine, but I don't think anything else does that, and it would be nice if someone who worked on the comment system could confirm that's ok
  • Initially I thought that Wikimedia cloud redaction might have to be changed, but based on https://github.com/wikimedia/puppet/blob/production/modules/profile/templates/labs/db/views/maintain-views.yaml#L355 that should all work fine.

In T208188#5833349, @Bawolff wrote:

• This means that there is cross-wiki writes to the comment table on meta. This should be fine, but I don't think anything else does that, and it would be nice if someone who worked on the comment system could confirm that's ok

That should be fine.

@Bawolff I've updated the task description to match the new rubric. I filled out the requirements based on what I gathered from the rest of the description. Feel free to adjust or correct as you see fit. The idea is that this makes it easier for people to contribute to the proposal by separating what is needed from what the current proposal does.

In T208188#5688578, @Bawolff wrote:

Regarding UI for populating the table, the options seem to be:

• magic comments (/* @trust https://...) - I'm opposed to this. I think this is too fragile and would involve a lot of complication in parsing these details out. Not to mention, when would the auth flow happen? When the user makes an edit to Special:MyPage/common.js ? How does cross-wiki includes work in this scheme
• gadget-definition - I think this is my favored approach for gadgets.
• SecurityPolicyViolationEvent - I'm not a fan. I worry that this will turn into "automatically say yes without reading". I would prefer that script writers have to explicitly declare external resource usage, so they don't just do it accidentally
• mw.csp.authorize / mw.csp.requestException - yeah I think this would be ok. My only concern is that a flow based on imperative ask for permissions might cause it to happen far away from when the user added the script to their user js, and thus they might not correlate the prompt with which script caused it.
• Special page that users manually add stuff to - I think this might suffice for the initial rollout, as a minimal viable product. Keep in mind that user scripts are an advanced feature that already require much technical knowledge to use. Furthermore, most user scripts do not load external data.

Another question: is the exception table global or perwiki? I think global makes the most sense

My concern with the special page approach is that it means there is no integration between CSP and scripts/gadgets whatsoever. I fear that this would greatly harm the gadget ecosystem and also not set us up for success in terms of security.

Some scenarios to consider:

• I enable a checkbox on Special:Preferences/gadgets. The gadget reads data from an API. Is the gadget going to fail half-way through? How will it break? What is the user experience like post-enforce for a typical gadget as it exists today? What can a gadget developer do to make sure their users don't feel the gadget is broken? What can we do to make sure it doesn't feel like MW is broken?
• I have somehow enabled a gadget and whitelisted its API endpoint. The gadget developer is now changing or adding an API endpoint. The same questions apply. How do we make this an experience that doesn't lead to "It's broken, I don't know what to do".
• A gadget I have enabled has discontinued one of their API endpoints. Perhaps they no longer need an extenal API. Perhaps they no longer trust this API. Perhaps they have consolidated two API endpoints into one. How do we make sure here that the extenral API can't be hijacked (e.g. after the domain expires) to be able to be abused by users who still have this old thing whitelisted for a gadget that doesn't ask for it anymore?
• I used to have a gadget enabled and I whitelisted an external API for it. Let's say the gadget is specific to an external party (e.g. "Translate something with Bing"), and I disable the gadget because I no longer trust this party.

To clarify, I don't think we need to have all of these addressed with an implementation upfront. But I'd like to hear:

• What is the rough plan for these?
• Do we know if those can be addressed in a good way without making breaking changes to the current proposal? (e.g. we may need to add a way to track what entity an website was whitelisted for).
• If you believe it would require breaking changes, is there a reasonable path forward? E.g. would you be okay with having all entries wiped away once we have a way to tracking stuff per-script, so that we retroactively ensure any old stuff won't remain forever? If not, it'd help gain confidence in the current draft if there is some other (even vague) plan for how to reconcile this. For example, is adding things manually a feature requirement we want to have long-term, or is it a temporary implementation detail until we can track things specifically?
• Is the PHP side of interacting with the table meant to be a public API within MediaWiki code, or can we consider it entirely private to the CSP component? E.g. would it have hooks or be allowed to be called from extensions.

Please note, my contract with WMF ended, so I'm not really working on this anymore. The security team will presumably be detailing what the future plans are here. However, I wanted to mention what my thoughts were on this subject at the time when I left.

I enable a checkbox on Special:Preferences/gadgets. The gadget reads data from an API. Is the gadget going to fail half-way through? How will it break? What is the user experience like post-enforce for a typical gadget as it exists today? What can a gadget developer do to make sure their users don't feel the gadget is broken? What can we do to make sure it doesn't feel like MW is broken?

My long-term plan was that you could specify additional hosts needed in MediaWiki:gadgets-definition. There would be a prompt when enabling the gadget as to whether you are ok with accessing that resource. In the short term though, I was expecting the special page to suffice.

Do we know if those can be addressed in a good way without making breaking changes to the current proposal? (e.g. we may need to add a way to track what entity an website was whitelisted for).

I was kind of expecting that any tracking needed per gadget, would be a separate system than the per-user exceptions (on the backend). I'm not sure it makes sense to combine the two, beyond having the Special:ContentSecurityPolicyExceptions UI display both.

If you believe it would require breaking changes, is there a reasonable path forward? E.g. would you be okay with having all entries wiped away once we have a way to tracking stuff per-script, so that we retroactively ensure any old stuff won't remain forever? If not, it'd help gain confidence in the current draft if there is some other (even vague) plan for how to reconcile this. For example, is adding things manually a feature requirement we want to have long-term, or is it a temporary implementation detail until we can track things specifically?

I was thinking that a general per-user opt out would be needed regardless of anything done with gadgets. I don't think user-scripts are compartmentalized enough to effectively track them per script, so I was thinking per-script tracking (when/if it exists) would only apply to gadgets, and any non-gadget user-scripts would continue to require users to manually adjust Special:ContentSecurityPolicyExceptions.

Is the PHP side of interacting with the table meant to be a public API within MediaWiki code, or can we consider it entirely private to the CSP component? E.g. would it have hooks or be allowed to be called from extensions.

I was thinking private for the exception table. There are other hooks in the CSP system for extensions to interact with if they want to adjust the CSP policy.

In T208188#6029647, @Bawolff wrote:

I was thinking that a general per-user opt out would be needed regardless of anything done with gadgets. I don't think user-scripts are compartmentalized enough to effectively track them per script, so I was thinking per-script tracking (when/if it exists) would only apply to gadgets, and any non-gadget user-scripts would continue to require users to manually adjust Special:ContentSecurityPolicyExceptions.

For the record, MCR could be used to attach information about required external domain to user scripts.
This would make management and re-use of user scripts easier. OTOH, that may not be something we want to encourage.

Please note, my contract with WMF ended, so I'm not really working on this anymore. The security team will presumably be detailing what the future plans are here. However, I wanted to mention what my thoughts were on this subject at the time when I left.

In context of the RFC process, the question is whether the proposed technical solution is satisfactory and feasible in the context of current and anticipated future requirements. The problem seems to be that such requirements are unclear, since there is no clarity on what would be acceptable or desirable behavior from the user's perspective, in the short and medium term.

It seems clear that we can't just cut off access to external domains with no replacement. Whoever makes that determination would also have to determine what we should be doing instead. If the need for changing the status quo is driven by security considerations, the security team should drive for a decision on this from the group responsible for the user experience.

In context of the RFC process, the question is whether the proposed technical solution is satisfactory and feasible in the context of current and anticipated future requirements. The problem seems to be that such requirements are unclear, since there is no clarity on what would be acceptable or desirable behavior from the user's perspective, in the short and medium term.

I've had one off conversations with some community members at various events. They seem to be ok with this solution, but it is a very small sample size.

It seems clear that we can't just cut off access to external domains with no replacement.

Indeed, nobody is proposing that, and there is code written and awaiting review to implement the special page solution, which was discussed during the RFC meeting from dec 2018.

In response to the task description: I think it's a bit much to require re-authorization to add a domain. Or more specifically, I think it's very reasonable for unknown domains. I think it's very wise to require authorization to load http://1901529060.xyz/session.js. But 1901529060.xyz is not quite the same as Flickr. The Flickr import in UploadWizard already warns the user: "This form will load content hosted by flickr.com and subject to the Flickr terms of use and privacy policy. Please note that by using this tool, your IP address and request details will be available to Flickr."

If you must a one-time checkbox could be added to that which would remain checked for future uploads if accepted once. Either way re-authorization should not be required here.

Of course, Flickr already knows your IP. How did you obtain a Flickr link to import to begin with? Exactly.

@AlexisJazz What you describe (one-time permission for a specific third party, stored with your user account indefinitely) is exactly what is proposed and being built.

In T208188#6159015, @Krinkle wrote:

@AlexisJazz What you describe (one-time permission for a specific third party, stored with your user account indefinitely) is exactly what is proposed and being built.

Right, what I'm saying is that users shouldn't have to edit a special page to allow Flickr. If users can tick a checkbox in the UploadWizard and that stores the exception for Flickr magically on that special page without leading the user away from the UploadWizard, that's fine.

This RFC is about gadgets and other user-generated scripts which are not reviewed and verified prior to being made available to users. For those, we need users to consent in a standardised way as the scripts themselves cannot be assumed or guruanteed to do this.

The foundation's privacy policy and general user expectations of privacy apply regardless of what technical solutions exist. Right now, UploadWizard already satisfies policy as it does not commnicate with Flickr from the user's browser unless the user interacts with that part of the feature, and even then only after it has warned the user about this. UploadWizard is installed on the server and can dynamnically add this third-party domain as needed to the CSP config for a specific special page. This already works today and does not need to change in any way. The system described in this RFC does not apply there.

In T208188#6160584, @Krinkle wrote:

This RFC is about gadgets and other user-generated scripts which are not reviewed and verified prior to being made available to users. For those, we need users to consent in a standardised way as the scripts themselves cannot be assumed or guruanteed to do this.

The foundation's privacy policy and general user expectations of privacy apply regardless of what technical solutions exist. Right now, UploadWizard already satisfies policy as it does not commnicate with Flickr from the user's browser unless the user interacts with that part of the feature, and even then only after it has warned the user about this. UploadWizard is installed on the server and can dynamnically add this third-party domain as needed to the CSP config for a specific special page. This already works today and does not need to change in any way. The system described in this RFC does not apply there.

Thanks for the clarification. What do you mean by "this already works today"? It doesn't work on betacommons.

In T208188#6161207, @AlexisJazz wrote:

What do you mean by "this already works today"? It doesn't work on betacommons.

See T244124

In T208188#6161225, @Aklapper wrote:

In T208188#6161207, @AlexisJazz wrote:

What do you mean by "this already works today"? It doesn't work on betacommons.

See T244124

I don't get it.

Content Security Policy: The page’s settings blocked the loading of a resource at https://api.flickr.com/services/rest/?&api_key=e9d…=json&nojsoncallback=1&method=flickr.photos.licenses.getInfo (“default-src”).

In T208188#6164185, @AlexisJazz wrote:

I don't get it.

Content Security Policy: The page’s settings blocked the loading of a resource at https://api.flickr.com/services/rest/?&api_key=e9d…=json&nojsoncallback=1&method=flickr.photos.licenses.getInfo (“default-src”).

That’s why there is T249486: Change Content Security Policy on betacommons to allow api.flickr.com as well. But it has nothing to do with this ticket.

For the table structure, I think it needs redesign, I'd be happy to discuss it with people who are planning to improve this (or help on getting this off the ground).

In T208188#8473508, @Ladsgroup wrote:

For the table structure, I think it needs redesign, I'd be happy to discuss it with people who are planning to improve this (or help on getting this off the ground).

As a clarifying note, i am no longer interested in working on this, and it doesn't particular seem like anyone else is.

As for table structure - if i was redesigning this now, i'd add a primary key and also normize csp_domain to a separate dictionary table to hold all the strings. Out of curiosity, is that what you mean or is there other things wrong with the design?

In T208188#8474775, @Bawolff wrote:

As a clarifying note, i am no longer interested in working on this, and it doesn't particular seem like anyone else is.

Do you think it's not useful or not important anymore, or is it just an issue of time / whatever other personal reason?

In T208188#8476317, @Tgr wrote:

In T208188#8474775, @Bawolff wrote:

As a clarifying note, i am no longer interested in working on this, and it doesn't particular seem like anyone else is.

Do you think it's not useful or not important anymore, or is it just an issue of time / whatever other personal reason?

Its a large project. Well i still enjoy contributing here and there as a volunteer, now that i don't work for WMF, i don't really want to or have the time to take on projects of this size that have a lot of moving pieces and involve lots of planning and getting buy-in, etc.

I still think this could be useful. The CSP stuff that made it into mediawiki core is sort of half finished and didn't really get to the point where we saw benefits. In my opinion, the gadget ecosystem, while critical to our users, is also probably the largest threat to security and privacy on Wikimedia websites, so i think there could be significant benefits here. If anyone is interested in taking it over, i'm happy to offer advice or discuss if that would be helpful, but I can't be the main driver at this time or in the forseeable future.

In T208188#8474775, @Bawolff wrote:

As for table structure - if i was redesigning this now, i'd add a primary key and also normize csp_domain to a separate dictionary table to hold all the strings. Out of curiosity, is that what you mean or is there other things wrong with the design?

Yeah, I think normalizing it and PK sounds good.

I'm not sure some requirements are true anymore. For example:

In the case of toolforge, they would have to specify a path, so tools.wmflabs.org/bawolff/ and not simply tools.wmflabs.org.

In T208188#8476377, @Bawolff wrote:

I still think this could be useful. The CSP stuff that made it into mediawiki core is sort of half finished and didn't really get to the point where we saw benefits. In my opinion, the gadget ecosystem, while critical to our users, is also probably the largest threat to security and privacy on Wikimedia websites, so i think there could be significant benefits here. If anyone is interested in taking it over, i'm happy to offer advice or discuss if that would be helpful, but I can't be the main driver at this time or in the forseeable future.

Totally understandable and agree. I can help in my volunteer capacity to drive this forward a bit but it's not really in my official job mandate. If anyone else is willing to help, I'd be happy to collaborate.

Change 557581 abandoned by Brian Wolff:

[mediawiki/core@master] Special page to add exceptions to CSP policy

Reason:

This is pretty bit-rotted, and im not working on this anymore (See the bug for discussion)

https://gerrit.wikimedia.org/r/557581