We've received quite a few CSP whitelist requests, and obviously the CSP is there to prevent abuse so whitelisting any requested URL would defeat its purpose so that's why we need a policy for how we decide what to whitelist or not.
Description
Description
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Declined | Reception123 | T5092 Create a CSP whitelist policy | ||
| Resolved | Zppix | T5017 Add shields.io to CSP whitelist (load external images) | ||
| Resolved | Reception123 | T4914 Content Security Policy Violation: Extension:AddThis | ||
| Resolved | Zppix | T4760 Add some sites to frame and CSP whitelist | ||
| Resolved | Unknown Object (User) | T4976 CSP whitelist request for www.desmos.com | ||
| Declined | Reception123 | T4944 CSP whitelist openagenda.com |
Event Timeline
Comment Actions
We're going to go for an informal policy which is that each request is case by case and users must be able to explain why the whitelist is essential for the functioning of their wiki. The decision to add it to the CSP should be approved by 2 SRE members.