Requests for comment/Compliance with web standards and recommendations

The following request for comments is closed. Apparently everything relevant was in the process of being taken care of. StevenJ81 (talk) 23:01, 10 December 2018 (UTC)[reply]

What do you think about making Wikipedias more compliant with web standards and recommendations? 77.180.38.231 17:37, 28 August 2017 (UTC)[reply]

Most of these are in the works:

CSP: T135963
pinning: T92002
X-Frame-Options: in theory, this is set when needed (on pages which have clickjackable content), see T48560
weak TLS ciphers: T147199
referrer policy: this seems like an error, we do implement a referrer policy (T87276)

That leaves Subresource Integrity (does not seem relevant, we serve our own assets) and X-XSS-Protection (obsoleted by CSP). --Tgr (WMF) (talk) 22:19, 28 August 2017 (UTC)[reply]

2018-06-08 : D+, Score: 40/100, Tests Passed: 7/11
Topic	Points	Text
Content Security Policy	-25	Content Security Policy (CSP) header not implemented
Cookies	0	All cookies use the Secure flag and all session cookies use the HttpOnly flag
Cross-origin Resource Sharing	0	Content is not visible via cross-origin resource sharing (CORS) files or headers
HTTP Public Key Pinning	0	HTTP Public Key Pinning (HPKP) header not implemented (optional)
HTTP Strict Transport Security	+5	Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
Redirection	0	All hosts redirected to are in the HTTP Strict Transport Security (HSTS) preload list
Referrer Policy	-5	Referrer-Policy header set unsafely to "origin", "origin-when-cross-origin", or "unsafe-url"
Subresource Integrity	0	Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
X-Content-Type-Options	0	X-Content-Type-Options header set to "nosniff"
X-Frame-Options	-20	X-Frame-Options (XFO) header not implemented
X-XSS-Protection	-10	X-XSS-Protection header not implemented