Toolforge tool: https://securityheaders.com/?q=https%3A%2F%2Fquery-builder-test.toolforge.org%2F&followRedirects=on (redirects to production tool)
Production deployment: https://securityheaders.com/?q=https%3A%2F%2Fquery.wikidata.org%2Fquerybuilder%2F&followRedirects=on
Acceptance Criteria 🏕️🌟 (September 2021)
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| miscweb: Add CSP headers for query builder | operations/puppet | production | +4 -0 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T289433 Display link to (or integrate) Query Builder from query.wikidata.org in a prominent place | |||
| Resolved | Erdinc_Ciftci_WMDE | T272702 (MS 7) Link from Query Service UI to Query Builder | |||
| Resolved | Ladsgroup | T276210 Add ‘Query Builder’ Button + tooltip to Query Service Interface | |||
| Resolved | Ladsgroup | T280229 Query Builder banner in the examples query dialog | |||
| Resolved | Ladsgroup | T280230 Query Builder top banner | |||
| Resolved | Ladsgroup | T266703 Deploy query builder to microsites (on top of the wdqs-ui) | |||
| Resolved | sbassett | T264822 (MS 7) Security Readiness Review For Wikidata Query Builder | |||
| Resolved | • toan | T285761 Add proper security headers to Query Builder |
Is this task about the current Toolforge deployment or the eventual production one? Because I expect the way to configure these headers will be totally different for both.
The eventual production one. We discussed that these headers are likely not to be added in the Query Builder code itself, but in the Apache server configuration, which probably does not live inside the Query Builder Repo. Though adding them to the test-server as well could be a decent test-run.
(So maybe this task should (also) be a sub-task to some deployment ticket?)
+1 from the Security-Team for this approach, as there can be issues when attempting to serve CSP at the app layer (see T238367).
@Michael @Lucas_Werkmeister_WMDE how about we close this / merge it into the checklists on T266703: Deploy query builder to microsites (on top of the wdqs-ui) ?
If this is prominently featured there, then ok. Alternatively, this ticket could live as a subtask of T266703 directly?
I just want to prevent us from overlooking this task in the long list of ACs in T266703. Especially because the Query Builder will work without these headers, so we might not even notice it until the security team gives us the evil eye.
Change 708463 had a related patch set uploaded (by Ladsgroup; author: Ladsgroup):
[operations/puppet@production] miscweb: Add CSP headers for query builder
Left a comment on the patch that we need to decide how to address, will put this in waiting until that decision is made.
Should put in a request to deploy here once we agree on the added configuration https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20210921T1600
Yup. I might be able to ask people to get it deployed sooner but that's the safest bet.
Change 708463 merged by RLazarus:
[operations/puppet@production] miscweb: Add CSP headers for query builder
securityheaders.com is still giving a D grade. It looks like cp4030 still has cached headers, I can also see them when I SSH into bast4003 and make a request from there.
Should we try to purge it manually somehow? Or just assume it’s going to expire eventually?
Mentioned in SAL (#wikimedia-operations) [2021-09-23T15:54:52Z] <Lucas_WMDE> lucaswerkmeister-wmde@mwmaint1002:~$ echo 'https://query.wikidata.org/querybuilder/' | mwscript purgeList.php # T285761