Merge e81a547 into 316aa85

lib/security_response_header_filter.js

@@ -3,6 +3,14 @@
 const P = require('bluebird');
 const HTTPError = require('hyperswitch').HTTPError;
 
+const MOBILE_CSP = "default-src 'none'; " +
+    'connect-src https://*.wikipedia.org; ' +
+    'media-src *; ' +
+    'img-src * data:; ' +
+    "script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; " +
+    'style-src app://meta.wikimedia.org https://meta.wikimedia.org ' +
+    "app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline'; " +
+    "frame-ancestors 'self'";
 /**
  * Filter adding security-relevant response headers like CSP.
  */
@@ -83,6 +91,13 @@ module.exports = function addCSPHeaders(hyper, req, next, options) {
             // XXX: Re-consider this policy
             if (rh['content-security-policy']) {
                 csp = rh['content-security-policy'];
+            } else if (options.mobile) {
+                // TODO: This is a copy-paste from MCS. T229016
+                // In future we would want MCS to manage it's storage,
+                // but currently we can not store special CSP as changing them would require
+                // truncating all the stored content. So we have no option other then
+                // setting them explicitly in RESTBase code.
+                csp = MOBILE_CSP;
             } else {
                 // Our main production clients will ignore CSP anyway (by loading via
                 // XHR or fetch), so we need to sanitize our HTML assuming that no

v1/pcs/mobile-html.yaml

@@ -17,6 +17,8 @@ paths:
         options:
           redirect_cache_control: '{{options.response_cache_control}}'
       - path: lib/security_response_header_filter.js
+        options:
+          mobile: true
     get: &mobile-html_title_revision_get_spec
       tags:
         - Page content