Page MenuHomePhabricator

Insecure CORS access control of JS in Wikipedia.org
Closed, InvalidPublic

Description

JavaScript files used in the Wikipedia.org portal seem to have an insecure Cross-Origin Resource Sharing (CORS) access control.

According to Subgraph Vega,

The server in question has allowed resource from any origin by setting the value of the "Access-Control-Allow-Origin" response header to a wildcard value. This presents a security risk because any site can issue requests to access resources, regardless of origin.

Affected JavaScript resources:

See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Event Timeline

abian created this task.Nov 26 2016, 6:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 26 2016, 6:52 PM
Restricted Application added a project: Discovery. · View Herald TranscriptNov 26 2016, 6:53 PM

What is the security concern here? While its a little odd, Allowing other domains to access the static js files should not present a security risk.

I'm not an expert, but I suppose that this practice is risky if those .js files are mere examples of a common configuration used for other resources in the wikimediaverse. If this is an exception (as you say, "odd") or you consider that those wildcards aren't a security concern... I said anything. :-)

@debt, can you point us in the right direction of the person who's responsible for these portal URLs?

dpatrick triaged this task as Normal priority.Dec 7 2016, 5:34 PM
sbassett closed this task as Invalid.Apr 5 2019, 2:15 PM
sbassett added a subscriber: sbassett.

Closing as invalid as neither of the URLs mentioned within the description exist anymore and this doesn't appear to have been much of a security concern to begin with.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 5 2019, 4:02 PM