CSP Whitelist
The CSP whitelist specifies what websites scripts running on Miraheze are allowed to access:
# Only add a domain pursuant to the policy below. Please also be restrictive in which list. # See https://meta.miraheze.org/wiki/Tech:CSP_Policy. default-src: - "'self'" - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' script-src: - 'blob:' - "'self'" - "'unsafe-inline'" - "'unsafe-eval'" - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - '*.wikimedia.org' - '*.wikipedia.org' - '*.wikibooks.org' - '*.wiktionary.org' - '*.wikiquote.org' - '*.wikisource.org' - '*.wikiversity.org' - '*.wikinews.org' - '*.wikivoyage.org' - 'mediawiki.org' - 'www.mediawiki.org' - 'wikidata.org' - 'www.gstatic.com' - 'www.google.com' - 'apis.google.com' - 'platform.twitter.com' - 'wiki-assets.sumin.wiki' - 'cdnjs.cloudflare.com' - 'cdn.jsdelivr.net' - 'fastly.jsdelivr.net' - 'cdn.syndication.twimg.com' - 'openlayers.org' - 'www.gstatic.cn' - 'hcaptcha.com' - '*.hcaptcha.com' - 'bandcamp.com' style-src: - "'self'" - 'data:' - "'unsafe-inline'" - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - '*.wikimedia.org' - '*.wikipedia.org' - '*.wikibooks.org' - '*.wiktionary.org' - '*.wikiquote.org' - '*.wikisource.org' - '*.wikiversity.org' - '*.wikinews.org' - '*.wikivoyage.org' - 'mediawiki.org' - 'www.mediawiki.org' - 'wikidata.org' - 'www.gstatic.com' - 'fonts.googleapis.com' - 'cdn.jsdelivr.net' - 'fastly.jsdelivr.net' - 'cdnjs.cloudflare.com' - 'platform.twitter.com' - 'ton.twimg.com' - 'hcaptcha.com' - '*.hcaptcha.com' img-src: - 'blob:' - "'self'" - 'data:' - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - 'upload.wikimedia.org' - 'wikimedia.org' - 'maps.google.com' - 'www.gstatic.com' - 'maxcdn.bootstrapcdn.com' - '*.twimg.com' - 'i.imgur.com' - 'image.tmdb.org' - '*.googleusercontent.com' - '*.fontawesome.com' - '*.dropboxstatic.com' - '*.redd.it' - '*.redditmedia.com' - 'mirrors.creativecommons.org' - 'www.gnu.org' - 'live.staticflikr.com' - 'cdn.pixabay.com' - 'cdn.geogebra.org' - 'docs.blender.org' - '*.imgbox.com' - 'tile.openstreetmap.org' - '*.tile.openstreetmap.org' - 'cdn.discordapp.com' - 'na.llnet.sims3storee.cdn.ea.com' - '*.fastly.net' - 'minotar.net' - 'db.onlinewebfonts.com' - 'openlayers.org' - 'discordapp.com' - 'imgbb.com' - 'postimages.org' - 'platform.twitter.com' - 'syndication.twitter.com' - 'img.newspapers.com' - 'cdn.smutstone.com' - 'storage.googleapis.com' - '*.fbcdn.net' - 'i.ytimg.com' - '*.imgbb.com' - 'simgbb.com' - '*.simgbb.com' - 'ibb.co' - '*.ibb.co' - '*.postimages.org' - 'postimgs.org' - '*.postimgs.org' - 'postimg.cc' - '*.postimg.cc' - '*.rbxcdn.com' - 'cms-imgp.jw-cdn.org' font-src: - "'self'" - 'data:' - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - 'fonts.gstatic.com' - 'fonts.googleapis.com' - 'cdnjs.cloudflare.com' - 'cdn.jsdelivr.net' - 'fastly.jsdelivr.net' - 'db.onlinewebfonts.com' - 'upload.wikimedia.org' media-src: - "'self'" - 'blob:' - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - 'upload.wikimedia.org' - 'embed.nicovideo.jp' - '*.youtube.com' - '*.youtube-nocookie.com' - 'player.twitch.tv' - 'clips.twitch.tv' - 'player.vimeo.com' - 'apis.google.com' - 'bandcamp.com' frame-src: - "'self'" - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - 'www.google.com' - 'docs.google.com' - 'apis.google.com' - 'web.libera.chat' - 'snap.berkeley.edu' - '*.youtube-nocookie.com' - 'www.youtube.com' - 'player.twitch.tv' - 'platform.twitter.com' - 'discord.com' - 'discordapp.com' - 'embed.nicovideo.jp' - 'syndication.twitter.com' - 'open.spotify.com' - 'www.gofundme.com' - 'archive.org' - 'w.soundcloud.com' - 'query.wikidata.org' - 'player.vimeo.com' - 'www.bing.com' - 'lucid.app' - 'scratch.mit.edu' - 'hcaptcha.com' - '*.hcaptcha.com' - 'bandcamp.com' connect-src: - "'self'" - '*.miraheze.org' - '*.mirabeta.org' - '*.wikitide.net' - 'www.wikidata.org' - '*.wikipedia.org' - 'www.mediawiki.org' - '*.wikimedia.org' - '*.wikinews.org' - '*.wiktionary.org' - 'cdn.jsdelivr.net' - 'storage.googleapis.com' - '*.youtube-nocookie.com' - 'hcaptcha.com' - '*.hcaptcha.com'