MediaWiki

User:BWolff (WMF)/CSP/7

< User:BWolff (WMF) | CSP

So we put $wgCSPHeader = true; in LocalSettings.php.

Now the following code should be fine from an XSS point of view (and is included on this page): 

{{#widget:iframe|width=0|height=0|url=https://example.com/"onl{{safesubst:ns:0}}oad="alert('All\40your\40base\40are\40belong\40to\40us')}}

But no alert is generated. You can see instead that an error is generated in the javascript console. Additionally if you have MediaWiki debug logging enabled, a log entry is made in the csp channel.

{{#widget:iframe|width=0|height=0|url=https://example.com/"onload="alert('All\40your\40base\40are\40belong\40to\40us')}}

next

Retrieved from "https://www.mediawiki.org/w/index.php?title=User:BWolff_(WMF)/CSP/7&oldid=3175456"