User:BWolff (WMF)/CSP/7

So we put $wgCSPHeader = true; in LocalSettings.php.

Now the following code should be fine from an XSS point of view (and is included on this page):

{{#widget:iframe|width=0|height=0|url=https://example.com/"onl{{safesubst:ns:0}}oad="alert('All\40your\40base\40are\40belong\40to\40us')}}

But no alert is generated. You can see instead that an error is generated in the javascript console. Additionally if you have MediaWiki debug logging enabled, a log entry is made in the csp channel.

{{#widget:iframe|width=0|height=0|url=https://example.com/"onload="alert('All\40your\40base\40are\40belong\40to\40us')}}

next