Requests for comment/Compliance with web standards and recommendations
Tools
Actions
General
Print/export
In other projects
Appearance
From Meta, a Wikimedia project coordination wiki
The following request for comments is closed. Apparently everything relevant was in the process of being taken care of. StevenJ81 (talk) 23:01, 10 December 2018 (UTC)[reply]
The Wikipedias fail several checks. See https://observatory.mozilla.org/analyze.html?host=en.wikipedia.org
What do you think about making Wikipedias more compliant with web standards and recommendations? 77.180.38.231 17:37, 28 August 2017 (UTC)[reply]
Most of these are in the works:
- CSP: T135963
- pinning: T92002
- X-Frame-Options: in theory, this is set when needed (on pages which have clickjackable content), see T48560
- weak TLS ciphers: T147199
- referrer policy: this seems like an error, we do implement a referrer policy (T87276)
That leaves Subresource Integrity (does not seem relevant, we serve our own assets) and X-XSS-Protection (obsoleted by CSP). --Tgr (WMF) (talk) 22:19, 28 August 2017 (UTC)[reply]
Topic | Points | Text |
---|---|---|
Content Security Policy | -25 | Content Security Policy (CSP) header not implemented |
Cookies | 0 | All cookies use the Secure flag and all session cookies use the HttpOnly flag |
Cross-origin Resource Sharing | 0 | Content is not visible via cross-origin resource sharing (CORS) files or headers |
HTTP Public Key Pinning | 0 | HTTP Public Key Pinning (HPKP) header not implemented (optional) |
HTTP Strict Transport Security | +5 | Preloaded via the HTTP Strict Transport Security (HSTS) preloading process |
Redirection | 0 | All hosts redirected to are in the HTTP Strict Transport Security (HSTS) preload list |
Referrer Policy | -5 | Referrer-Policy header set unsafely to "origin", "origin-when-cross-origin", or "unsafe-url" |
Subresource Integrity | 0 | Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin |
X-Content-Type-Options | 0 | X-Content-Type-Options header set to "nosniff" |
X-Frame-Options | -20 | X-Frame-Options (XFO) header not implemented |
X-XSS-Protection | -10 | X-XSS-Protection header not implemented |