Requests for comment/Compliance with web standards and recommendations

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

The following request for comments is closed. Apparently everything relevant was in the process of being taken care of. StevenJ81 (talk) 23:01, 10 December 2018 (UTC)Reply[reply]

The Wikipedias fail several checks. See

What do you think about making Wikipedias more compliant with web standards and recommendations? 17:37, 28 August 2017 (UTC)Reply[reply]

Most of these are in the works:

  • CSP: T135963
  • pinning: T92002
  • X-Frame-Options: in theory, this is set when needed (on pages which have clickjackable content), see T48560
  • weak TLS ciphers: T147199
  • referrer policy: this seems like an error, we do implement a referrer policy (T87276)

That leaves Subresource Integrity (does not seem relevant, we serve our own assets) and X-XSS-Protection (obsoleted by CSP). --Tgr (WMF) (talk) 22:19, 28 August 2017 (UTC)Reply[reply]

2018-06-08 : D+, Score: 40/100, Tests Passed: 7/11
Topic Points Text
Content Security Policy -25 Content Security Policy (CSP) header not implemented
Cookies 0 All cookies use the Secure flag and all session cookies use the HttpOnly flag
Cross-origin Resource Sharing 0 Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning 0 HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security +5 Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
Redirection 0 All hosts redirected to are in the HTTP Strict Transport Security (HSTS) preload list
Referrer Policy -5 Referrer-Policy header set unsafely to "origin", "origin-when-cross-origin", or "unsafe-url"
Subresource Integrity 0 Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-Type-Options 0 X-Content-Type-Options header set to "nosniff"
X-Frame-Options -20 X-Frame-Options (XFO) header not implemented
X-XSS-Protection -10 X-XSS-Protection header not implemented