{"host": "cp2044.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3969, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/usr/share/varnish/tests/upload-frontend.inc.vcl]", "content": "--- /usr/share/varnish/tests/upload-frontend.inc.vcl.orig\n+++ /usr/share/varnish/tests/upload-frontend.inc.vcl\n@@ -579,24 +579,13 @@\n \n         // Restrict uploads from loading external resources across all of upload.w.o (T117618)\n         // PDFs require object-src: self\n+        set resp.http.Reporting-Endpoints = {\"csp-endpoint=\"https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\"\"};\n         if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n         } else {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n-        }\n-\n-        // Testwiki now in enforce mode\n-        if (req.url ~ \"^/wikipedia/test\") {\n-            if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-                // PDFs don't like no object-src and sandbox in chrome\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            } else {\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            }\n         }\n     }\n "}, {"resource": "File[/etc/varnish/upload-frontend.inc.vcl]", "content": "--- /etc/varnish/upload-frontend.inc.vcl.orig\n+++ /etc/varnish/upload-frontend.inc.vcl\n@@ -579,24 +579,13 @@\n \n         // Restrict uploads from loading external resources across all of upload.w.o (T117618)\n         // PDFs require object-src: self\n+        set resp.http.Reporting-Endpoints = {\"csp-endpoint=\"https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\"\"};\n         if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n         } else {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n-        }\n-\n-        // Testwiki now in enforce mode\n-        if (req.url ~ \"^/wikipedia/test\") {\n-            if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-                // PDFs don't like no object-src and sandbox in chrome\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            } else {\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            }\n         }\n     }\n "}], "perc_changed": "0.05%"}, "core": {"total": 3969, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/usr/share/varnish/tests/upload-frontend.inc.vcl]", "content": "--- /usr/share/varnish/tests/upload-frontend.inc.vcl.orig\n+++ /usr/share/varnish/tests/upload-frontend.inc.vcl\n@@ -579,24 +579,13 @@\n \n         // Restrict uploads from loading external resources across all of upload.w.o (T117618)\n         // PDFs require object-src: self\n+        set resp.http.Reporting-Endpoints = {\"csp-endpoint=\"https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\"\"};\n         if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n         } else {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n-        }\n-\n-        // Testwiki now in enforce mode\n-        if (req.url ~ \"^/wikipedia/test\") {\n-            if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-                // PDFs don't like no object-src and sandbox in chrome\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            } else {\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            }\n         }\n     }\n "}, {"resource": "File[/etc/varnish/upload-frontend.inc.vcl]", "content": "--- /etc/varnish/upload-frontend.inc.vcl.orig\n+++ /etc/varnish/upload-frontend.inc.vcl\n@@ -579,24 +579,13 @@\n \n         // Restrict uploads from loading external resources across all of upload.w.o (T117618)\n         // PDFs require object-src: self\n+        set resp.http.Reporting-Endpoints = {\"csp-endpoint=\"https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\"\"};\n         if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n         } else {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n-        }\n-\n-        // Testwiki now in enforce mode\n-        if (req.url ~ \"^/wikipedia/test\") {\n-            if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-                // PDFs don't like no object-src and sandbox in chrome\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            } else {\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            }\n         }\n     }\n "}], "perc_changed": "0.05%"}, "main": {"total": 3969, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/usr/share/varnish/tests/upload-frontend.inc.vcl]", "content": "--- /usr/share/varnish/tests/upload-frontend.inc.vcl.orig\n+++ /usr/share/varnish/tests/upload-frontend.inc.vcl\n@@ -579,24 +579,13 @@\n \n         // Restrict uploads from loading external resources across all of upload.w.o (T117618)\n         // PDFs require object-src: self\n+        set resp.http.Reporting-Endpoints = {\"csp-endpoint=\"https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\"\"};\n         if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n         } else {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n-        }\n-\n-        // Testwiki now in enforce mode\n-        if (req.url ~ \"^/wikipedia/test\") {\n-            if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-                // PDFs don't like no object-src and sandbox in chrome\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            } else {\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            }\n         }\n     }\n "}, {"resource": "File[/etc/varnish/upload-frontend.inc.vcl]", "content": "--- /etc/varnish/upload-frontend.inc.vcl.orig\n+++ /etc/varnish/upload-frontend.inc.vcl\n@@ -579,24 +579,13 @@\n \n         // Restrict uploads from loading external resources across all of upload.w.o (T117618)\n         // PDFs require object-src: self\n+        set resp.http.Reporting-Endpoints = {\"csp-endpoint=\"https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\"\"};\n         if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n         } else {\n-            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&\";\n+            set resp.http.Content-Security-Policy-Report-Only = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&; report-to csp_endpoint\";\n             set resp.http.X-Content-Security-Policy-Report-Only = resp.http.Content-Security-Policy-Report-Only;\n-        }\n-\n-        // Testwiki now in enforce mode\n-        if (req.url ~ \"^/wikipedia/test\") {\n-            if ( req.url ~ \"(?i)\\.pdf$\" ) {\n-                // PDFs don't like no object-src and sandbox in chrome\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; object-src 'self'; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            } else {\n-                set resp.http.Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-                set resp.http.X-Content-Security-Policy = \"default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; connect-src https://upload.wikimedia.org/favicon.ico; media-src data: 'self'; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=0&source=image&action=cspreport&format=json&\";\n-            }\n         }\n     }\n "}], "perc_changed": "0.05%"}}}