Page MenuHomeMiraheze

kkuttuwiki has enabled cloudflare workers and removed CSP headers
Closed, ResolvedPublic

Description

For a short while, kkuttuwiki disabled the Contenr Security Policy.

They’ve restored the CSP now and disabled cloudfare’s function to do this per my request but removing the CSP causes a huge security and privacy risk.

They self disclosed they had done this while waiting for T5630 to be fixed.

Removing the CSP should be impossible.

Event Timeline

RhinosF1 updated the task description. (Show Details)
Paladox raised the priority of this task from High to Unbreak Now!.May 23 2020, 17:01
Paladox lowered the priority of this task from Unbreak Now! to High.May 23 2020, 17:37

As discussed with the team, nothing much we can do, apart from stop supporting custom domains (ban the feature).

I've created T5644 as the user in question didn't realise that this was forbidden.

I don't see why this task needs to be open anymore because the issue at hand has been resolved, and the only actionable task is T5644 (creating a policy to make sure this doesn't happen again). This task being open serves no more purpose. as T5644 is the main task.

Reception123 claimed this task.

For the record since Amanda really wants this task public I agree with RhinosF1 and since this will technically always be a vulnerability (but we choose to trust users instead of not making this feature possible) the making it public rule does not apply to this IMO and therefore it should be kept private to avoid the Streisand effect.

Most users don't even know doing this specifically is possible, so there's no reason to tell them more than what T5644 will (i.e. any specifics about this). The policy would imply this is not allowed while not specifically mentioning this method to anyone.

Personally, The best we can say is due to the nature of how custom domains work, vunerabilites are always public but the task discusses the specifics of an exploit so we can not disclose it.

But I recommened @Southparkfan approves what I just said.

WMF Security got back and said:

If a cleartext protocol is flowing through something intending to alter its contents directly in undesirable ways, then that traffic needs to be wrapped in something else or not flow through the rogue piece in the middle at all.

They have advised us to create an upstream task

Please subscribe me to the ticket and link it here.

Paladox changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 9 2020, 12:21
Paladox changed the edit policy from "Custom Policy" to "All Users".