The banner is not loading content from enwiki, so this is likely not related. I cannot reproduce the issue in FF (no content loaded from en.wiki). Maybe it is caused by a user script but not related to the banner in question.

In T199055#4406347, @Steinsplitter wrote:

The banner is not loading content from enwiki, so this is likely not related. I cannot reproduce the issue in FF (no content loaded from en.wiki). Maybe it is caused by a user script but not related to the banner in question.

Banner content itself doesn't seem problematic, more of the rendering of Safari, I guess.

https://en.wikipedia.org/w/index.php?title=Nut_rage_incident&banner=POTY_2017_R2&force=1&uselang=en loads with Content Security Policy violation detected! Tried to load something from https://www.mediawiki.org.

So this is from the CentralNotice CSP, not the mediawiki CSP we are experimenting with.

Once MW CSP is ready we'll be able to replace the CentralNotice one with that. I plan to put the MediaWiki CSP on the testwiki this week, but it might be a little while before its enforcing everywhere (not sure)

Hi! Just to explain a bit more: CentralNotice specifically adds the CSP header (which warns about external content) when previewing a banner, to help check that banners don't load external resources. This is to protect user privacy, because if you load anything from an external site into a banner, you're sending a lot of user data to that site.

wikipedia.org is whitelisted for most content, but also, I don't see anything in the banner requesting stuff from wikipedia.org.

Here's the full header I'm getting when previewing the banner: default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';

I don't get the warning when previewing the banner in Firefox or Chromium.

@revi can you please try previewing the banner when logged out, and see if you still get the warning? Maybe the warning is due to a gadget that you're loading from enwiki?

Also, are you able to please open the console in your browser developer tools, and preview the banner while logged in, then copy and paste here the full CSP message that you see in the console?

Thanks much!!!! :)

In T199055#4406571, @AndyRussG wrote:

@revi can you please try previewing the banner when logged out, and see if you still get the warning? Maybe the warning is due to a gadget that you're loading from enwiki?

Obviously, global.js hosts en.wikipedia.org user-script. That sounds the cause.

In T199055#4406571, @AndyRussG wrote:

Also, are you able to please open the console in your browser developer tools, and preview the banner while logged in, then copy and paste here the full CSP message that you see in the console?

Thanks much!!!! :)

P7365

Is there a way to get this fixed? We're sharing banners with community members for review, and they commonly have gadgets/scripts enabled which load content from wmflabs

Here's the relevant code in CN:
https://phabricator.wikimedia.org/diffusion/ECNO/browse/wmf_deploy/includes/CentralNoticeHooks.php$399

Change 864327 had a related patch set uploaded (by AndyRussG; author: AndyRussG):

[operations/mediawiki-config@master] CentralNotice: Add wmflabs to banner preview CSP

https://gerrit.wikimedia.org/r/864327

Reminder: the attached config patch should only be +1'ed, and will be +2'ed at the time of deploy. Thanks!!!

Bumping this again, it's a recurring issue when sharing preview links with the community. Confusing for them, and not a good look for us.

(this was in the DRI backlog column, but not the chaos crew project, so in a limbo state, moving to triage for triage)

Thanks Peter. Another security warning shared by a fellow Dutch user was the following:
Schending van het inhoudsbeveiligingsbeleid ontdekt! Er is geprobeerd iets van https://intuition.toolforge.org/api.php?domains=general%7Cwhatleaveshere&userlang=nl te laden.

@Ciell Yes, same issue. Any gadget or user script which tries to load content off a non-wiki server (including toolforge) will show the same issue when previewing a banner.

Thanks Peter!
I understand (and can now explain it to others as well, and apologize in advance when sharing the preview links for campaigns I set up.)

@AKanji-WMF I think we can decline this - it's working as expected, warning banner designers about non-wikimedia scripts that may be loaded when they load the banners. If some of those are loaded via their own gadgets, that's an unfortunate false positive, but it's better that than we get somebody loading a facebook tracker on all wiki pageviews by mistake.