It tries to load something from fonts.googleapis.com
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T133919 [EPIC] Protect end-user privacy by restricting non-consensual third-party browser interactions | |||
Open | None | T130748 Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses | |||
Open | None | T172065 Hunt for Toolforge tools that load resources from third party sites | |||
Resolved | Rammanojpotla | T231312 WikiContrib violates user privacy by loading third party content from Google |
Event Timeline
@srishakatux @Tuxology Please see this task.
Note: this code might help: https://github.com/toolforge/fontcdn/
@Quiddity @Aklapper Thanks for pointing this out. I will fix this ASAP and ask @Rammanojpotla to update the tool on Toolforge.
@Quiddity @Aklapper Fixed via https://github.com/wikimedia/WikiContrib/commit/9c7cee85c37138dd757d3bc53009784647a066d7#diff-4116fc200141126c18042468e63e9de9 I'll update this issue when the tool is updated on toolforge
@Tuxology It would be excellent if the deployed tool could be updated soon. The nice announcement at https://lists.wikimedia.org/pipermail/wikitech-l/2019-September/092493.html is driving a bit more traffic to the tool now which is driving up the Content-Security-Policy violations reports: https://tools.wmflabs.org/csp-report/search?ft=wikicontrib.
@bd808 We updated the deployed tool, but realized that Semantic UI we are using as a dependency is still fetching in some fonts from Google. @Rammanojpotla is on it to fix and re-deploy. Sorry for the delay
Sorry @bd808 and @Tuxology for the delay. I guess the issue is fixed!
This is the screen shot of the requests made, when I tried it out!
It is also not adding any entities at https://tools.wmflabs.org/csp-report/search?ft=wikicontrib. @bd808 can you please let me know if it is originally fixed?
@Rammanojpotla: Please check the source code of https://tools.wmflabs.org/contrabandapp/ . It includes these lines:
<link href="/contrabandapp/static/css/2.c149526b.chunk.css" rel="stylesheet"> <link href="/contrabandapp/static/css/main.064b115b.chunk.css" rel="stylesheet">
Both https://tools.wmflabs.org/contrabandapp/static/css/2.c149526b.chunk.css and https://tools.wmflabs.org/contrabandapp/static/css/main.064b115b.chunk.css load content from https://fonts.googleapis.com
I did a 'hard' reload of the page to make sure that I was not just seeing stale css from prior testing. I am still seeing https://fonts.googleapis.com/css?family=Lato&display=swap and https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic&subset=latin load from Google's FontCDN.
Specifically, the semantic-ui-css package that is being imported in frontend/WikiContrib-Frontend/package.json @imports fonts.googleapis.com/css?family=Lato. The easiest way to fix this is probably adding some post-processing step after you run npm build that will rewrite https://fonts.googleapis.com/ to https://tools-static.wmflabs.org/fontcdn/ in your generated CSS file(s).
@Aklapper @bd808 I guess there is some confusion regarding the official tool. The version @Rammanojpotla and I are referring to is this: https://tools.wmflabs.org/wikicontrib and is based on the code at https://github.com/wikimedia/WikiContrib The contrabadapp one which you refer is not maintained anymore and should be removed from toolforge. I guess @Rammanojpotla is going to do it and then we are all golden!
@Aklapper and @bd808 sorry for the confusion. As specified at https://wikitech.wikimedia.org/wiki/Help:Toolforge/FAQ#Can_I_delete_a_Tool? . I can not delete a tool on toolforge. So, presently, I stopped the service of the tool hosted at https://tools.wmflabs.org/contrabandapp/. As @Tuxology specified, the official version of tool is hosted at https://tools.wmflabs.org/wikicontrib/. Let me know if there are any fonts imported from wikicontrib ??
https://tools.wmflabs.org/wikicontrib/ is not loading any external assets and https://tools.wmflabs.org/contrabandapp/ has its webservice shutdown. Thanks for the attention @Rammanojpotla and sorry for the various confusions that we had here.
I guess https://wikicontrib.toolforge.org is the latest release of the tool now.
Source: https://github.com/wikimedia/WikiContrib/
@Gopavasanth - it still seems to not be loading any external resources (the purpose of this task), so that should be fine.