Page MenuHomePhabricator
Create Task
Maniphest T329121

Allow the Wikidata Query Builder to be embedded in an iframe
Open, Needs TriagePublic
Actions

Description

At Wikimédia France, we are working on a second MOOC about Wikidata, this new one dedicated to SPARQL queries. We would like to embed the Query Builder in an iframe, so learners will not have to go back and forth the training website and the Query Builder.

At the moment, the Wikidata Query Builder returns an HTTP header x-frame-options with the value SAMEORIGIN. This prevents the page to be embedded in an iframe if the page with the iframe is not on wikidata.org. This header should be removed so other websites could embed the Query Builder.

Sample web page that should work:

<html>
  <head>
  </head>
  <body>
    <iframe src="https://query.wikidata.org/querybuilder/" width="800" height="600"></iframe>
  </body>
</html>

Note that this is only about the Query Builder. The main page of the Wikidata Query Service does not have this limitation and can already be embedded in an iframe.

Related Objects

Event Timeline

Envlh created this task.Feb 7 2023, 9:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2023, 9:40 PM
Maintenance_bot added a project: Wikidata.Feb 7 2023, 9:45 PM
mickeybarber subscribed.Feb 8 2023, 9:26 AM
Lucas_Werkmeister_WMDE subscribed.Feb 8 2023, 9:42 AM

FTR, the header was added as part of T285761: Add proper security headers to Query Builder.

Arian_Bozorg added a project: Wikidata Dev Team.Feb 8 2023, 10:55 AM
Arian_Bozorg moved this task from Incoming to Product Backlog on the Wikidata Dev Team board.
ItamarWMDE subscribed.Feb 14 2023, 3:31 PM

Triage Notes:

  • I @ItamarWMDE or other engineers in the team will try and asses the security risks involved with enabling this feature before we proceed
Restricted Application added a project: User-ItamarWMDE. · View Herald TranscriptFeb 14 2023, 3:31 PM
Lydia_Pintscher moved this task from Product Backlog to Unified DOT Backlog on the Wikidata Dev Team board.Feb 15 2023, 10:53 AM
Lydia_Pintscher moved this task from Unified DOT Backlog to Product Backlog on the Wikidata Dev Team board.
ItamarWMDE added a comment.EditedFeb 16 2023, 9:06 AM

Unfortunately, it seems like we cannot do this as these headers were requested by the WMF security team it seems. In addition, this might expose us to some forms of clickjacking attacks, where other embedding sites will be able to steal some information from the embedded page.

If we were able to limit the iframe to the domain of the mooc we might have had grounds to consider this. However, there is no longer an option to have an allow list of embedding origins, as this is deprecated from modern browsers.

We might be able to try and set a Content-Security-Policy header with a frame-ancestors directive set to the domain of the MOOC. But I would still defer to advice from the WMF Security Team (tagging @sbassett here since they are the only contact I have in the team so far)

ItamarWMDE added a project: Security-Team.Feb 16 2023, 9:07 AM
ItamarWMDE added a subscriber: sbassett.
sbassett added a comment.EditedFeb 21 2023, 5:40 PM
In T329121#8620995, @ItamarWMDE wrote:

Unfortunately, it seems like we cannot do this as these headers were requested by the WMF security team it seems. In addition, this might expose us to some forms of clickjacking attacks, where other embedding sites will be able to steal some information from the embedded page.

This is all correct, and why we'd discourage a revert of the status quo or, at the very least, likely rate it as at least a medium risk.

We might be able to try and set a Content-Security-Policy header with a frame-ancestors directive set to the domain of the MOOC. But I would still defer to advice from the WMF Security Team (tagging @sbassett here since they are the only contact I have in the team so far)

This is likely feasible, if it doesn't interfere with any potential X-Frame-Options: deny|sameorigin headers, and if the source list is kept to a minimum of absolutely necessary URLs that the Security-Team could review and assign any potential risk ratings.

sbassett moved this task from Incoming to In Progress on the Security-Team board.Feb 21 2023, 5:41 PM
sbassett added a project: SecTeam-Processed.
Michael subscribed.Feb 22 2023, 9:05 AM

That being said, the query builder is just static files. It could potentially just run on their page natively, maybe needs a few changes and a bit of documentation from us. Or am I missing some fundamental consideration?

ItamarWMDE moved this task from Radar to Radar on the User-ItamarWMDE board.Feb 22 2023, 10:40 AM
ItamarWMDE moved this task from Radar to To Product on the User-ItamarWMDE board.Feb 22 2023, 10:59 AM
sbassett added a comment.Feb 22 2023, 6:30 PM
In T329121#8636168, @Michael wrote:

That being said, the query builder is just static files. It could potentially just run on their page natively, maybe needs a few changes and a bit of documentation from us. Or am I missing some fundamental consideration?

Static files... which include a hefty amount of client-side JS, no? That's the security concern. If it can be bundled and deployed from just about anywhere, setting up a demo site on wmcs, etc. would likely be fine. As long as there was no confusion for users that it was, indeed, a demo site.

ItamarWMDE added a subscriber: Lydia_Pintscher.EditedFeb 23 2023, 10:40 AM
In T329121#8633970, @sbassett wrote:

This is likely feasible, if it doesn't interfere with any potential X-Frame-Options: deny|sameorigin headers, and if the source list is kept to a minimum of absolutely necessary URLs that the Security-Team could review and assign any potential risk ratings.

Thank you, this sounds promising, I'll dig deeper into it. I suppose we will be talking about exactly one URL from WMFR, is that correct @Lydia_Pintscher?

UPDATE: The second part of this Stack overflow response seems to suggest that this might be possible (where CSP is used and XFO will only be the fallback). I didn't proof this myself yet, however, and I'm not sure if I'll have time to get around to it soon.

Lydia_Pintscher added a comment.Feb 23 2023, 12:58 PM
In T329121#8640243, @ItamarWMDE wrote:

Thank you, this sounds promising, I'll dig deeper into it. I suppose we will be talkin about exactly one URL from WMFR, is that correct @Lydia_Pintscher?

I believe so. @Envlh, can you confirm?

Envlh added a comment.Feb 27 2023, 8:19 AM

I'm not sure there will be exactly one URL, but there should be only one subdomain (formations.wikimedia.fr). I'm awaiting confirmation from @mickeybarber.

mickeybarber added a comment.Mar 3 2023, 6:00 PM

Yes only this subdomain formations.wikimedia.fr.

mickeybarber added a comment.Jun 27 2023, 12:24 PM

Have you been able to advance on the subject @Lydia_Pintscher?

Frostly subscribed.Jan 7 2024, 2:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL