wikimedia-wordpress-security-plugin
Plugin for use implementing security enhancements to the Wikimedia Foundation's sites hosted on WordPress VIP.
GPL-2.0 License
Stars
2
Ecosystems:
MediaWiki
What's Changed
- Fix issue where "self" was removed from connect-src CSP directive in 1.1.0 by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/18
wikimedia-wordpress-security-plugin
- v1.1.0
Published by kadamwhite 6 months ago
What's Changed
- 1.1.0 updates by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/17
- Fix a typo in the README sample code which prevented it from working out of the box
- Fix a bug where a colon would be stripped out of URLs containing ports (fixes WIKI-965)
- Allow injection of valid keyword source strings like
'strict-dynamic'using this plugin - Allow configuration of
worker-srcdirectives using this plugin - Permit
blob:URLs for use inworker-srcdirective (supports Report plugin) - Remove web-project-specific environment URLs (fixes #13)
- Alter how
'self'directive is added to the directive array to permit it to be filtered later if needed - Only allow insecure
http:andws:schemes in local environments - Set
object-src 'none'as recommended by MDN - Allow
*.wikimedia.orginconnect-srcby default to permit first-party instrumentation
Full Changelog: https://github.com/wikimedia/wikimedia-wordpress-security-plugin/compare/v1.0.0...v1.1.0
wikimedia-wordpress-security-plugin
- v1.0: Initial release
Published by kadamwhite 6 months ago
What's Changed
- Port initial security logic from Foundation site and Shiro theme
- Improve CSP generation logic to streamline exceptions by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/7
- Enable CSP module and fix logical errors in CSP generation by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/8
- Implement REST API access control within security plugin by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/9
- Bundle disable emojis plugin by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/10
- Permit opting a site in to unsafe-eval when necessary by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/11
- Document public_endpoint REST filter by @kadamwhite in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/12
New Contributors
- @varnent made their first contribution in https://github.com/wikimedia/wikimedia-wordpress-security-plugin/pull/1
Full Changelog: https://github.com/wikimedia/wikimedia-wordpress-security-plugin/commits/v1.0.0