There are probably some stragglers that have yet to turn up, but we appear to have survived this largely unscathed.

I'm going to start landing this stuff now. master will start complaining about unsafe queries all over the place (although much less frequently than it was when I first added the warning). Depending on how much complaining still exists on Friday I might make the warning developer-only, but I'm currently hopeful that I can clean up most of it before the next release promotes.

I made this public since I've disclosed/discussed this elsewhere, including an indirect reference in the Spaces documentation, and I'm going to schedule it alongside some other stuff.

Pushing the requireCapabilities() change out one more week since I had some stuff crop up early this week and it didn't get a chance to soak.

I'm going to push this out to next week since D19586 probably has a few minor issues with it and it's close to the release cut. It adds a lot of new policy checks which weren't explicit before, so I'd guess it may cause a few improper policy errors on things which are actually allowed. I caught a bunch of them (like "Mute Thread") but probably didn't get every single one.

I'm touching some adjacent code for a "Disable User" permission in T13164.

In D19455 I've reduced our "enormous change" threshold from 1GB to 256MB, which puts us underneath Git's 512MB magic number. This probably mitigates this to at least some degree.

A related attack is a bare whatever.patch file which writes to .git/config or .hg/hgconfig or whatever.

Actually, it seems like rel="noreferrer" fixes this. This is bizarre so maybe this is a problem with a spooky ghost haunting my computer?

very good memes

hmmm

Actually, HTML mail has an issue now.

This is technically fixed now but the meme stuff is real old and rough so I'm going to maybe make some kind of effort to get through more of T5258, etc.

This is promoting soon and we seem to have come through it without too much damage. T13095 is a followup for style="..." attributes.

These changes are all deployed here, now. The embed element only got touched lightly but is at least slightly better. See T4340 for further adventures in Content-Security-Policy.

• "Download" is a form, so you can't command-click it.
• The whole thing is a <div href="..." /> (huh?) so you can't command-click it to open it in a new window.
• When you click it for a non-image file, you get this weird interstitial that you can leave comments on if you click an additional button, which uses janky animations and AJAX. This feature is pretty half-baked and I've never seen anyone actually use it. It's possibly a net negative in its current form.
• There is no way to actually show the text file in the browser! ARHGRH

Okay, here's another one of these:

On the Stripe payment processing workflow, we embed a piece of Javascript directly from Stripe.
On the Recaptcha flow, we embed a piece of Javascript directly from Google.

Other stuff to test:

When we use a Quicksand transition from page A (which does not have Google or Recaptcha stuff on it) to page B (which does), the CSP from Page A will currently still be in control and prevent Page B from working.

On the Stripe payment processing workflow, we embed a piece of Javascript directly from Stripe.

I don't think this exposes new attack surface, at least today.

Idle thought: can we data: an SVG with onhover behaviors?

Idle thought: can we data: an SVG with onhover behaviors?