Page MenuHomePhabricator
Create Task
Maniphest T104913

Improve RESTBase CSP headers: use 'self' instead of *, allow inline styles for sanitized content
Closed, ResolvedPublic
Actions

Description

On pages like https://rest.wikimedia.org/en.wikipedia.org/v1/page/html/User%3AMarcoil%2FTests%2FCite/648024713, Chrome refuses to render inline styles and prints the following warning in the console:

"Refused to apply inline style because it violates the following Content Security Policy directive: "style-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-Mvsp77heuEPm7zRATyUk_qLvOCN0lwgUfh8tzx_2ync='), or a nonce ('nonce-...') is required to enable inline execution."

As the error message says, we are currently setting "style-src *". The error is triggered by a simple and harmless inline style.

It sounds like one option would be to include unsafe-inline, but we should check with @csteipp if that's okay.

Event Timeline

GWicke created this task.Jul 6 2015, 8:52 PM
GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added subscribers: GWicke, csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 6 2015, 8:52 PM
GWicke added projects: RESTBase, Security-General, Parsoid.Jul 6 2015, 8:52 PM
GWicke set Security to None.
GWicke removed a subscriber: Aklapper.
GWicke added subscribers: Arlolra, ssastry.
jeremyb subscribed.Jul 6 2015, 9:02 PM
GWicke added a subscriber: Krinkle.Jul 6 2015, 9:05 PM
Krenair added a project: Security-Team.Jul 6 2015, 9:13 PM
Krenair subscribed.
csteipp added a comment.Jul 6 2015, 9:17 PM

Do we need to send browsers to rest.wikimedia.org directly? If this is just a convenience so you can view the html of a page when typically would fetch the html and present it in another context, then I would discourage it.

If you really need to do that, let's do that in a way that the services that are proxied by restbase still have style-src * (or hopefully something more restrictive in the future).

GWicke added a comment.Jul 6 2015, 10:07 PM

@csteipp & myself just had a quick chat about this in the office, and came up with a plan:

  • with the /api/rest_v1/ entry points we can now use 'self' instead of * for most CSP settings, which makes it more secure
  • for backend services like Parsoid where we know that styles have been sanitized to our standards, we can set style-src 'self' 'unsafe-inline', which will allow rendering of the remaining (hopefully safe) inline styles
GWicke renamed this task from Investigate CSP header interaction with inline styles to Improve RESTBase CSP headers: use 'self' instead of *, allow inline styles for sanitized content.Jul 6 2015, 10:15 PM
GWicke assigned this task to Pchelolo.
GWicke triaged this task as Medium priority.
Krinkle added a comment.Jul 6 2015, 10:26 PM

Sounds good. Content and inline styles that we embed in production wiki output should certainly be fine to output on restbase domains as well.

Pchelolo added a comment.Jul 8 2015, 5:54 PM

PR with the fix: https://github.com/wikimedia/restbase/pull/277

ssastry moved this task from Needs Triage to Non-Parsing-Team Tasks on the Parsoid board.Jul 10 2015, 4:30 AM
Pchelolo added a comment.Jul 31 2015, 7:09 PM

The PR has been deployed, so this is ready to be closed.

Pchelolo closed this task as Resolved.Jul 31 2015, 7:09 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL