Page MenuHomePhabricator
Create Task
Maniphest T424058

Properly set the Reporting-Endpoints header and the report-to directive via MediaWiki's CSP implementation
Closed, ResolvedPublic
Actions

Description

With the merger of this dated patch, we are not setting the Reporting-Endpoints header and thus improperly setting the corresponding report-to CSP directive. I think when T249513 was filed, it was assumed that report-to would just use the same reporting URL pattern as report-uri, but that is not the case. A reporting endpoint first needs to be named and then associated with the report-to directive, e.g.

Reporting-Endpoints: csp-endpoint="https://example.com"
Content-Security-Policy: default-src 'self'; report-to csp-endpoint;

Eventually we should also fully drop support for report-uri in MediaWiki, which it looks like might be possible according to caniuse...

  1. report-uri: https://caniuse.com/mdn-http_headers_content-security-policy_report-uri
  2. report-to: https://caniuse.com/mdn-http_headers_content-security-policy_report-to
  3. Reporting-Endpoints: https://caniuse.com/mdn-http_headers_reporting-endpoints

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Explicitly set wgCSPUseReportURIDirective and not wmgCSPUseReportURIDirective to trueoperations/mediawiki-configmaster+2 -2
Enable CSPUseReportURIDirective in Wikimedia productionoperations/mediawiki-configmaster+8 -0
Remove erroneous @var type statementsmediawiki/coremaster+2 -2
Add Reporting-Endpoints header support and fix report-to directivemediawiki/coremaster+275 -54
Customize query in gerrit

Related Objects

Event Timeline

sbassett created this task.Apr 21 2026, 3:45 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptApr 21 2026, 3:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett updated the task description. (Show Details)Apr 21 2026, 3:52 PM
sbassett updated the task description. (Show Details)Apr 21 2026, 3:57 PM
sbassett changed the task status from Open to In Progress.Apr 21 2026, 5:05 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
gerritbot added a comment.Apr 24 2026, 10:18 PM

Change #1277205 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@master] Add Reporting-Endpoints header support and fix report-to directive functionality

https://gerrit.wikimedia.org/r/1277205

gerritbot added a project: Patch-For-Review.Apr 24 2026, 10:19 PM
PatchDemoBot added a comment.Apr 29 2026, 5:44 PM

Test wiki created on Patch demo by SBassett (WMF) using patch(es) linked to this task:
https://173e7e3460.catalyst.wmcloud.org/w/

sbassett moved this task from Backlog to In Progress on the ContentSecurityPolicy board.May 5 2026, 5:59 PM
gerritbot added a comment.May 6 2026, 9:56 PM

Change #1277205 merged by jenkins-bot:

[mediawiki/core@master] Add Reporting-Endpoints header support and fix report-to directive

https://gerrit.wikimedia.org/r/1277205

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.2; 2026-05-12).May 6 2026, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.May 6 2026, 10:31 PM
gerritbot added a comment.May 6 2026, 10:35 PM

Change #1284001 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@master] Remove erroneous @var type statements

https://gerrit.wikimedia.org/r/1284001

gerritbot added a project: Patch-For-Review.May 6 2026, 10:35 PM
gerritbot added a comment.May 6 2026, 10:43 PM

Change #1284008 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/mediawiki-config@master] Enable CSPUseReportURIDirective in Wikimedia production

https://gerrit.wikimedia.org/r/1284008

gerritbot added a comment.May 8 2026, 6:08 PM

Change #1284001 merged by jenkins-bot:

[mediawiki/core@master] Remove erroneous @var type statements

https://gerrit.wikimedia.org/r/1284001

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.May 11 2026, 4:14 PM
sbassett removed projects: Patch-For-Review, Product Safety and Integrity.
gerritbot added a comment.May 11 2026, 9:08 PM

Change #1284008 merged by jenkins-bot:

[operations/mediawiki-config@master] Enable CSPUseReportURIDirective in Wikimedia production

https://gerrit.wikimedia.org/r/1284008

Stashbot added a comment.May 11 2026, 9:09 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T21:09:07Z] <mstyles@deploy1003> Started scap sync-world: Backport for [[gerrit:1284008|Enable CSPUseReportURIDirective in Wikimedia production (T424058)]]

Stashbot added a comment.May 11 2026, 9:10 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T21:10:50Z] <mstyles@deploy1003> sbassett, mstyles: Backport for [[gerrit:1284008|Enable CSPUseReportURIDirective in Wikimedia production (T424058)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

sbassett closed this task as Resolved.May 11 2026, 9:12 PM
sbassett moved this task from In Progress to Done on the ContentSecurityPolicy board.
sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.
Stashbot added a comment.May 11 2026, 9:15 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-11T21:15:43Z] <mstyles@deploy1003> Finished scap sync-world: Backport for [[gerrit:1284008|Enable CSPUseReportURIDirective in Wikimedia production (T424058)]] (duration: 06m 36s)

sbassett reopened this task as Open.May 12 2026, 8:11 PM

This is in production now, at least on group0 and group1. And report-uri should be configured as a default:

mwscript shell.php
> print_r( $wmgCSPUseReportURIDirective );
= true

> print_r( $wgCSPUseReportURIDirective );
= true

But I'm only seeing report-to enabled on test.wikipedia.org, mediawiki.org, etc. Not really sure why.

sbassett added a comment.May 12 2026, 8:33 PM

This works fine for me testing locally with MediaWiki master and MediaWiki-docker:

local http headers
content-security-policy: script-src 'unsafe-eval' blob: 'self' localhost localhost:* 127.0.0.1 127.0.0.1: 'unsafe-inline'; default-src 'self' data: blob: localhost localhost:* 127.0.0.1 127.0.0.1:; style-src 'self' data: blob: localhost localhost:* 127.0.0.1 127.0.0.1: 'unsafe-inline'; object-src 'none'; report-uri /w/api.php?action=cspreport&format=json; report-to csp-report-to-endpoint
...
reporting-endpoints: csp-report-to-endpoint='/w/api.php?action=cspreport&format=json';

And the extensive unit tests that account for multiple config scenarios still appear to be correct and passing.

sbassett added subscribers: ssingh, Bawolff.EditedMay 13 2026, 3:11 PM

So looking at mediawiki.org - when logged out, I get the old report-uri directive and no reporting-endpoints header. When logged in, I only get the report-to directive and the correct reporting-endpoints header. I understood that the current config should be setting both directives in both situations. @ssingh, @Bawolff - any thoughts on what might be happening here? I find the behavior confusing, since we should no longer be setting CSP via any session-related flags/values or $wgExtensionFunctions.

sbassett added a comment.Thu, May 14, 3:10 PM

Well, this has had an impact on CSP reports:

Screenshot 2026-05-14 at 10.09.39 AM.png (580×290 px, 24 KB)

ssingh added a comment.Fri, May 15, 6:47 PM

@sbassett: I am having a bit of trouble parsing what exactly is failing, but if it is just the report-to header, note that we set that in Varnish (VCL) for Network Error Logging. That looks like, for example,

report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }

Which means that it doesn't matter what you set at MW -- the Varnish one will override that. Is that what is happening here? Note we only set report-to and not reporting-endpoints.

So yeah, if we want to update report-to, we will need to do that in VCL.

sbassett added a comment.Fri, May 15, 8:34 PM

@ssingh - It's that, with current MW config, we should be seeing both the report-to directive in the CSP policy (and corresponding report endpoint) and the report-uri directive. We are currently seeing the correct report-to directive (and corresponding report endpoint) everywhere now (not as I had previously reported). This shouldn't really have anything to do with the report-to header.

For example, just going to enwiki logged-in or logged-out right now, I see:

content-security-policy: script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org mediawiki.org wikimedia.org *.wmflabs.org *.wmcloud.org *.toolforge.org wss://*.toolforge.org *.jsdelivr.net unpkg.com cdnjs.cloudflare.com ...{a big list of more domains}... db.onlinewebfonts.com fontlibrary.org 'unsafe-inline'; object-src 'none'; report-to csp-report-to-endpoint
...
reporting-endpoints: csp-report-to-endpoint='/w/api.php?action=cspreport&format=json';

This is correct, but there should also be a redundant report-uri directive as well. This was set via https://gerrit.wikimedia.org/r/1284008 for both Wikimedia production and beta. And the config variable is set to true when I check it via shell.php on deployment:

> print_r( $wmgCSPUseReportURIDirective );
= true

> print_r( $wgCSPUseReportURIDirective );

= true

This also works as expected testing in MediaWiki-Docker and in the WM core CSP unit tests. So I'm just trying to debug why the redundant report-uri directive is not showing up in Wikimedia production as is expected. I'm running out of ideas and wanted to double-check that there was no conflicting VCL or other config interfering here.

gerritbot added a comment.Mon, May 18, 10:22 PM

Change #1288999 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/mediawiki-config@master] Explicitly set wgCSPUseReportURIDirective and not wmgCSPUseReportURIDirective to true

https://gerrit.wikimedia.org/r/1288999

gerritbot added a project: Patch-For-Review.Mon, May 18, 10:22 PM
gerritbot added a comment.Tue, May 19, 8:48 PM

Change #1288999 merged by jenkins-bot:

[operations/mediawiki-config@master] Explicitly set wgCSPUseReportURIDirective and not wmgCSPUseReportURIDirective to true

https://gerrit.wikimedia.org/r/1288999

Stashbot added a comment.Tue, May 19, 8:49 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-19T20:49:09Z] <sbassett@deploy1003> Started scap sync-world: Backport for [[gerrit:1288999|Explicitly set wgCSPUseReportURIDirective and not wmgCSPUseReportURIDirective to true (T424058)]]

Stashbot added a comment.Tue, May 19, 8:51 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-19T20:51:02Z] <sbassett@deploy1003> sbassett: Backport for [[gerrit:1288999|Explicitly set wgCSPUseReportURIDirective and not wmgCSPUseReportURIDirective to true (T424058)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Tue, May 19, 8:55 PM

Mentioned in SAL (#wikimedia-operations) [2026-05-19T20:55:49Z] <sbassett@deploy1003> Finished scap sync-world: Backport for [[gerrit:1288999|Explicitly set wgCSPUseReportURIDirective and not wmgCSPUseReportURIDirective to true (T424058)]] (duration: 06m 40s)

sbassett closed this task as Resolved.Tue, May 19, 9:20 PM

And this is fixed.

sbassett removed a project: Patch-For-Review.Tue, May 19, 9:20 PM
PatchDemoBot added a comment.Fri, Jun 5, 5:21 PM

Test wiki on Patch demo by SBassett (WMF) using patch(es) linked to this task was deleted:

https://173e7e3460.catalyst.wmcloud.org/w/

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits