9 protected function setUp() {
12 'wgAllowExternalImages' =>
false,
13 'wgAllowExternalImagesFrom' => [],
14 'wgAllowImageTag' =>
false,
15 'wgEnableImageWhitelist' =>
false,
16 'wgCrossSiteAJAXdomains' => [
17 'sister-site.somewhere.com',
21 'wgScriptPath' =>
'/w',
22 'wgForeignFileRepos' => [ [
23 'class' => ForeignAPIRepo::class,
24 'name' =>
'wikimediacommons',
25 'apibase' =>
'https://commons.wikimedia.org/w/api.php',
26 'url' =>
'https://upload.wikimedia.org/wikipedia/commons',
27 'thumbUrl' =>
'https://upload.wikimedia.org/wikipedia/commons/thumb',
29 'transformVia404' =>
true,
30 'fetchDescription' =>
true,
31 'descriptionCacheExpiry' => 43200,
32 'apiThumbCacheExpiry' => 0,
34 'backend' =>
'wikimediacommons-backend',
41 $context = RequestContext::getMain();
42 $resp =
$context->getRequest()->response();
45 $this->csp = TestingAccessWrapper::newFromObject(
$csp );
47 return parent::setUp();
62 [
'Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0',
true ],
63 [
'Mozilla/5.0 (X11; U; Linux i686; en-ca) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6',
false ]
78 $actualReport = $this->csp->makeCSPDirectives(
81 $policyJson = formatJson::encode( $policy );
82 $this->
assertEquals( $expectedFull, $actualFull,
"full: " . $policyJson );
83 $this->
assertEquals( $expectedReport, $actualReport,
"report: " . $policyJson );
91 [
'useNonces' =>
false ],
92 "script-src 'unsafe-eval' 'self' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
93 "script-src 'unsafe-eval' 'self' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
94 "script-src 'unsafe-eval' 'self' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'"
98 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
99 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
103 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
104 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
107 [
'script-src' => [
'http://example.com',
'http://something,else.com' ] ],
108 "script-src 'unsafe-eval' 'self' 'nonce-secret' http://example.com http://something%2Celse.com 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
109 "script-src 'unsafe-eval' 'self' 'nonce-secret' http://example.com http://something%2Celse.com 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
112 [
'unsafeFallback' =>
false ],
113 "script-src 'unsafe-eval' 'self' 'nonce-secret' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
114 "script-src 'unsafe-eval' 'self' 'nonce-secret' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
117 [
'unsafeFallback' =>
true ],
118 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
119 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
122 [
'default-src' =>
false ],
123 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
124 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
127 [
'default-src' =>
true ],
128 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
129 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
132 [
'default-src' => [
'https://foo.com',
'http://bar.com',
'baz.de' ] ],
133 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
134 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
137 [
'includeCORS' =>
false ],
138 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
139 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
142 [
'includeCORS' =>
false,
'default-src' =>
true ],
143 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
144 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
147 [
'includeCORS' =>
true ],
148 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
149 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
152 [
'report-uri' =>
false ],
153 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'",
154 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'",
157 [
'report-uri' =>
true ],
158 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
159 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
162 [
'report-uri' =>
'https://example.com/index.php?foo;report=csp' ],
163 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri https://example.com/index.php?foo%3Breport=csp",
164 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri https://example.com/index.php?foo%3Breport=csp",
180 $expected =
"script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&";
188 $actual = $this->csp->makeCSPDirectives(
192 $expected =
"script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&";
203 'Content-Security-Policy-Report-Only'
207 'Content-Security-Policy'
216 $fullExpected =
'/w/api.php?action=cspreport&format=json&';
217 $this->
assertEquals( $full, $fullExpected,
'normal report uri' );
220 $reportExpected = $fullExpected .
'reportonly=1&';
221 $this->
assertEquals( $report, $reportExpected,
'report only' );
226 $escExpected =
'/tl%3Bdr/a%2C%20wiki/api.php?action=cspreport&format=json&';
228 $this->
assertEquals( $esc, $escExpected,
'test esc rules' );
236 $actual = $this->csp->prepareUrlForCSP( $url );
244 [
'https://example.com',
'https://example.com' ],
245 [
'https://example.com:200',
'https://example.com:200' ],
246 [
'http://example.com',
'http://example.com' ],
247 [
'example.com',
'example.com' ],
248 [
'*.example.com',
'*.example.com' ],
249 [
'https://*.example.com',
'https://*.example.com' ],
250 [
'//example.com',
'example.com' ],
251 [
'https://example.com/path',
'https://example.com' ],
252 [
'https://example.com/path:',
'https://example.com' ],
253 [
'https://example.com/Wikipedia:NPOV',
'https://example.com' ],
254 [
'https://tl;dr.com',
'https://tl%3Bdr.com' ],
255 [
'yes,no.com',
'yes%2Cno.com' ],
256 [
'/relative-url',
false ],
257 [
'/relativeUrl:withColon',
false ],
258 [
'data:',
'data:' ],
259 [
'blob:',
'blob:' ],
267 $escaped = $this->csp->escapeUrlForCSP(
',;%2B' );
276 $this->
setMwGlobals(
'wgCSPReportOnlyHeader', $reportOnly );
284 [
true,
true,
true ],
285 [
false,
true,
true ],
286 [
true,
false,
true ],
287 [
false,
false,
false ],
290 [ [
'default-src' => [
'foo.example.com' ] ],
false,
true ],
and that you know you can do these things To protect your we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the or if you modify it For if you distribute copies of such a whether gratis or for a you must give the recipients all the rights that you have You must make sure that receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two and(2) offer you this license which gives you legal permission to copy
$wgUploadDirectory
The filesystem path of the images directory.
$wgScriptPath
The path we should point to.
$wgAllowImageTag
A different approach to the above: simply allow the "<img>" tag to be used.
$wgServer
URL of the server.
wfSetVar(&$dest, $source, $force=false)
Sets dest to source and returns the original value of dest If source is NULL, it just returns the val...
testPrepareUrlForCSP( $url, $expected)
providerPrepareUrlForCSP ContentSecurityPolicy::prepareUrlForCSP
testMakeCSPDirectives( $policy, $expectedFull, $expectedReport)
providerMakeCSPDirectives ContentSecurityPolicy::makeCSPDirectives
testEscapeUrlForCSP()
ContentSecurityPolicy::escapeUrlForCSP.
testFalsePositiveBrowser( $ua, $expected)
providerFalsePositiveBrowser ContentSecurityPolicy::falsePositiveBrowser
providerFalsePositiveBrowser()
testCSPIsEnabled( $main, $reportOnly, $expected)
providerCSPIsEnabled ContentSecurityPolicy::isNonceRequired
providerMakeCSPDirectives()
testGetHeaderName()
ContentSecurityPolicy::getHeaderName.
testMakeCSPDirectivesImage()
ContentSecurityPolicy::makeCSPDirectives.
ContentSecurityPolicy $csp
testMakeCSPDirectivesReportUri()
ContentSecurityPolicy::makeCSPDirectives.
testGetReportUri()
ContentSecurityPolicy::getReportUri.
providerPrepareUrlForCSP()
static isNonceRequired(Config $config)
Should we set nonce attribute.
static falsePositiveBrowser( $ua)
Does this browser give false positive reports?
static destroySingleton()
Destroy the singleton instance, so that a new one will be created next time singleton() is called.
do that in ParserLimitReportFormat instead use this to modify the parameters of the image all existing parser cache entries will be invalid To avoid you ll need to handle that somehow(e.g. with the RejectParserCacheValue hook) because MediaWiki won 't do it for you. & $defaults also a ContextSource after deleting those rows but within the same transaction you ll probably need to make sure the header is varied on and they can depend only on the ResourceLoaderContext $context
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped noclasses just before the function returns a value If you return true
processing should stop and the error should be shown to the user * false