Add object-src 'none' to MW CSP directive (configurable)

<object> and <embed> are from a mostly bygone era. They often can
be used to evade CSP rules, and are often a soft spot for browser
security.

The default value of 'none', disables <object>, <embed>. In some
browsers this will also disable loading some file formats like
pdf directly in an iframe.

The only use I am aware of is in TimedMediaHandler. However, it seems
like the mw.EmbedPlayerGeneric, mw.EmbedPlayerKplayer, and
mw.EmbedPlayerVlc.js are no longer used.

Bug: T239051
Change-Id: Iae7ab1f5b7c422803782848c787bc1a4c6339913

1 files changed, 11 insertions, 0 deletions

diff --git a/includes/ContentSecurityPolicy.php b/includes/ContentSecurityPolicy.php
index 6866f089e2d0..cfba053b98b3 100644
--- a/includes/ContentSecurityPolicy.php
+++ b/includes/ContentSecurityPolicy.php
@@ -254,6 +254,14 @@ class ContentSecurityPolicy {
 				}
 			}
 		}
+		// Default value 'none'. true is none, false is nothing, string is single directive,
+		// array is list.
+		if ( !isset( $policyConfig['object-src'] ) || $policyConfig['object-src'] === true ) {
+			$objectSrc = [ "'none'" ];
+		} else {
+			$objectSrc = (array)( $policyConfig['object-src'] ?: [] );
+		}
+		$objectSrc = array_map( [ $this, 'escapeUrlForCSP' ], $objectSrc );
 
 		$directives = [];
 		if ( $scriptSrc ) {
@@ -268,6 +276,9 @@ class ContentSecurityPolicy {
 		if ( $imgSrc ) {
 			$directives[] = 'img-src ' . implode( ' ', array_unique( $imgSrc ) );
 		}
+		if ( $objectSrc ) {
+			$directives[] = 'object-src ' . implode( ' ', $objectSrc );
+		}
 		if ( $reportUri ) {
 			$directives[] = 'report-uri ' . $reportUri;
 		}