Requests for comment/Compliance with web standards and recommendations

From Meta, a Wikimedia project coordination wiki

The following request for comments is closed. Apparently everything relevant was in the process of being taken care of. StevenJ81 (talk) 23:01, 10 December 2018 (UTC)[reply]

The Wikipedias fail several checks. See

What do you think about making Wikipedias more compliant with web standards and recommendations? 17:37, 28 August 2017 (UTC)[reply]

Most of these are in the works:

  • CSP: T135963
  • pinning: T92002
  • X-Frame-Options: in theory, this is set when needed (on pages which have clickjackable content), see T48560
  • weak TLS ciphers: T147199
  • referrer policy: this seems like an error, we do implement a referrer policy (T87276)

That leaves Subresource Integrity (does not seem relevant, we serve our own assets) and X-XSS-Protection (obsoleted by CSP). --Tgr (WMF) (talk) 22:19, 28 August 2017 (UTC)[reply]

2018-06-08 : D+, Score: 40/100, Tests Passed: 7/11
Topic Points Text
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies 0 All cookies use the Secure flag and all session cookies use the HttpOnly flag
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security +5 Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
Redirection 0 All hosts redirected to are in the HTTP Strict Transport Security (HSTS) preload list
Referrer Policy -5 Referrer-Policy header set unsafely to "origin", "origin-when-cross-origin", or "unsafe-url"
Subresource Integrity 0 Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-Type-Options 0 X-Content-Type-Options header set to "nosniff"
X-Frame-Options -20 X-Frame-Options (XFO) header not implemented
X-XSS-Protection -10 X-XSS-Protection header not implemented