- // Include <meta> header which increases security level after initial load.
- // This helps mitigate attacks on browsers not supporting CSP2. It also
- // helps mitigate attacks due to the shared nonce that non-logged in users
- // get due to varnish cache.
- // Unclear if this is the best place to insert the meta tag, or if
- // it should be in a RL module. I figure its best to do this as early
- // as possible.
- // FIXME: Needs testing to see if this actually works properly
- $metaHeader = $csp->getMetaHeader( $cspConfig );
- if ( $metaHeader ) {
- $context->getOutput()->addScript(
- ResourceLoader::makeInlineScript(
- $csp->makeMetaInsertScript(
- $metaHeader
- ),
- $out->getCSPNonce()
- )
- );
- }
- }
-
- /**
- * Makes javascript to insert a meta CSP header after page load
- *
- * @see https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/
- * @param string $metaContents content of meta tag
- * @return string JS for including in page
- */
- private function makeMetaInsertScript( $metaContents ) {
- return "$('\\x3Cmeta http-equiv=\"Content-Security-Policy\"\\x3E')" .
- '.attr("content",' .
- Xml::encodeJsVar( $metaContents ) .
- ').prependTo($("head"))';
+ // This used to insert a <meta> tag here, per advice at
+ // https://blogs.dropbox.com/tech/2015/09/unsafe-inline-and-nonce-deployment/
+ // The goal was to prevent nonce from working after the page hit onready,
+ // This would help in old browsers that didn't support nonces, and
+ // also assist for varnish-cached pages which repeat nonces.
+ // However, this is incompatible with how resource loader storage works
+ // via mw.domEval() so it was removed.