Page MenuHomePhabricator
Create Task
Maniphest T193332

CentralNotice - CSP overreach
Open, Needs TriagePublic
Actions

Description

The new CSP for CN is a little overreaching. It is being triggered everytime I ever preview a banner since it is now being triggered anytime that any javascript loaded from anywhere other than the page. This includes:

  • Any gadget
  • Any personal javascript I use on my account
  • In browser tools such as page translations for google translate.

The latter is a significant issue since I can no longer use the tool to confirm localising banner functionality is correct since it suppresses the necessary script from running.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT193332 CentralNotice - CSP overreach
 DeclinedNoneT199055 &banner causes CSP warning

Event Timeline

Jseddon created this task.Apr 29 2018, 12:42 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2018, 12:42 AM
Jseddon updated the task description. (Show Details)Apr 29 2018, 12:45 AM
Jseddon added subscribers: DStrine, AndyRussG.
AndyRussG added a comment.Apr 29 2018, 12:57 AM

@Jseddon Thanks!!

Regarding personal javascript, you mean in User:YourUserName/common.js, right?

For the point on browser tools, you mean the automatic page translation in Chrome? I just tried using that to translate a banner preview, and CSP did indeed flag an error. I wonder if there's something we can do about that? The tool is indeed injecting an external resource into the page.

AndyRussG added a project: Fundraising-Backlog.Apr 29 2018, 12:57 AM
Jseddon added a comment.Apr 29 2018, 2:22 AM

The script is called from common.js but is stored in another subpage. I actually have move it since to prevent it being an issue which is how I discovered the other issues.

Indeed, I have the google translate extension installed which I use to translate of my own choosing (specifically cause I generally have the chrome auto translate function turned off since it often translates when I dont want it to)

Ejegg subscribed.Apr 29 2018, 3:43 AM

Hmm, this sounds like it would require a per-user setting to whitelist certain sources

Base subscribed.Apr 29 2018, 9:56 AM
DStrine moved this task from Triage to Sprint +1 on the Fundraising-Backlog board.Apr 30 2018, 7:37 PM
Ejegg added a comment.Apr 30 2018, 7:38 PM

Also: check if the report-only version of the header still lets us catch the sources

kai.nissen subscribed.May 2 2018, 2:16 PM
DStrine moved this task from Sprint +1 to Current Sprint on the Fundraising-Backlog board.May 8 2018, 8:22 PM
DStrine added a project: Fundraising Sprint Junebugs prefer July.May 8 2018, 8:33 PM
AndyRussG moved this task from Backlog to Doing on the Fundraising Sprint Junebugs prefer July board.May 16 2018, 4:04 PM
DStrine added a project: Fundraising Sprint Karma chameleons hide amongst us.May 22 2018, 8:42 PM
AndyRussG added a comment.May 30 2018, 12:17 AM

CSP warnings have now landed in core, should go out on the train pretty soon: https://gerrit.wikimedia.org/r/#/c/253969

T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki

DStrine moved this task from Current Sprint to Blocked or not fr-tech on the Fundraising-Backlog board.Jun 5 2018, 8:18 PM
Vvjjkkii renamed this task from CentralNotice - CSP overreach to z0daaaaaaa.Jul 1 2018, 1:13 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from z0daaaaaaa to CentralNotice - CSP overreach.Jul 2 2018, 4:34 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added a subscriber: Aklapper.
Jseddon added a subtask: T199055: &banner causes CSP warning.Jul 8 2018, 4:00 PM
Steinsplitter subscribed.Jul 8 2018, 4:37 PM
zhuyifei1999 subscribed.Jul 8 2018, 4:39 PM
AndyRussG added a subscriber: Bawolff.Jul 11 2018, 4:04 AM

Hi! There is a workaround for Firefox that lets you turn of CSP entirely. I'd suggest only using it in a special browser profile that you would set up for that purpose.

Eventually this will become a core issue rather than a CN one, once CSP is activated for all WMF wikis. Currently testwiki does emite CSP headers.

The CN header seems more restrictive and less complete than the header sent by the core code on testwiki.

CentralNotice CSP header:

default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';

Testwiki CSP header:

script-src 'unsafe-eval' 'self' 'nonce-RWQ/6u579GboaQeF7BdZ' meta.wikimedia.org 'unsafe-inline' *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org www.wikidata.org m.wikidata.org test.wikidata.org *.wikivoyage.org www.mediawiki.org m.mediawiki.org wikimediafoundation.org advisory.wikimedia.org affcom.wikimedia.org auditcom.wikimedia.org boardgovcom.wikimedia.org board.wikimedia.org chair.wikimedia.org checkuser.wikimedia.org collab.wikimedia.org commons.wikimedia.org donate.wikimedia.org exec.wikimedia.org grants.wikimedia.org incubator.wikimedia.org internal.wikimedia.org login.wikimedia.org meta.wikimedia.org movementroles.wikimedia.org office.wikimedia.org otrs-wiki.wikimedia.org outreach.wikimedia.org quality.wikimedia.org searchcom.wikimedia.org spcom.wikimedia.org species.wikimedia.org steward.wikimedia.org strategy.wikimedia.org usability.wikimedia.org wikimaniateam.wikimedia.org am.wikimedia.org ar.wikimedia.org bd.wikimedia.org be.wikimedia.org br.wikimedia.org ca.wikimedia.org cn.wikimedia.org co.wikimedia.org dk.wikimedia.org ec.wikimedia.org et.wikimedia.org fi.wikimedia.org hi.wikimedia.org id.wikimedia.org il.wikimedia.org mai.wikimedia.org mk.wikimedia.org mx.wikimedia.org nl.wikimedia.org noboard-chapters.wikimedia.org no.wikimedia.org nyc.wikimedia.org nz.wikimedia.org pa-us.wikimedia.org pl.wikimedia.org pt.wikimedia.org romd.wikimedia.org rs.wikimedia.org ru.wikimedia.org se.wikimedia.org tr.wikimedia.org ua.wikimedia.org wb.wikimedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&

@Bawolff, @Ejegg, can and should we switch CN to using the core header, or maybe the core code? Looks like it might work better with gadgets and user scripts (provided those don't load external stuff themselves)?

Bawolff added a comment.Jul 11 2018, 4:41 AM

We may be adjusting the core csp header
Its kind of rediculously long. We also plan on disabling nonces in the initial rollout. So the core stuff should be considered to be in flux

AndyRussG added a comment.Jul 11 2018, 5:14 PM
In T193332#4414663, @Bawolff wrote:

So the core stuff should be considered to be in flux

OK thanks...!!! Do you know if, as it is, it allows gadgets and user scripts?

Bawolff added a comment.Jul 11 2018, 5:16 PM
OK thanks...!!! Do you know if, as it is, it allows gadgets and user scripts?

At the moment, it adds a nonce option. This is compatible with some user scripts but not all. We are planning to remove the nonce option from WMF deploys (patch just got merged), so once that's gone it should be compatible with most user scripts. So just remove the 'nonce-RWQ/6u579GboaQeF7BdZ' part (The number changes on every request).

Some people have scripts that load external resources, those will break.

Pcoombe subscribed.Sep 19 2018, 1:59 PM
Jseddon mentioned this in T225261: CentralNotice setting a surprising content security policy in production when using &banner= URL parameter.Jun 11 2019, 10:32 AM
TSkaff subscribed.Aug 31 2022, 3:41 PM
Pcoombe added a comment.Nov 29 2022, 4:39 PM
This comment was removed by Pcoombe.
Ejegg added a comment.Nov 29 2022, 5:34 PM

Here's the relevant code in CN:
https://phabricator.wikimedia.org/diffusion/ECNO/browse/wmf_deploy/includes/CentralNoticeHooks.php$399

Currently not seeing the nonce bits when loading with &banner:

Loaded via https://en.wikipedia.org/w/index.php?title=Wikipedia&banner=B2122_0119_enWW_dsk_p1_lg_template&country=US

content-security-policy
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org www.pages04.net; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline';

Loaded via https://meta.wikimedia.org/w/index.php?title=Wikipedia&banner=B2122_0119_enWW_dsk_p1_lg_template&country=US

content-security-policy
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org www.pages04.net; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline';

Ejegg closed subtask T199055: &banner causes CSP warning as Declined.Feb 7 2024, 7:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL