Maniphest T170729

rest api help should not request external things
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Bawolff
	Jul 14 2017, 11:20 PM

Tags

Referenced Files

None

Subscribers

Description

When viewing the rest api online docs, swagger tries to call out to:

https://online.swagger.io/validator?url=https://www.mediawiki.org/api/rest_v1/?spec

This call is blocked by CSP. If it went through, this would probably be a violation of the privacy policy. Well its good its getting blocked, CSP should be a check of last resort. The Rest API stuff should not serve things that instruct the browser to fetch external resources.

Event Timeline

Bawolff created this task.Jul 14 2017, 11:20 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 14 2017, 11:20 PM

Bawolff added projects: Privacy, Services.Jul 14 2017, 11:20 PM

• GWicke edited projects, added Services (next); removed Services.Jul 17 2017, 3:15 PM

• mobrovac added a project: RESTBase.Jul 17 2017, 6:46 PM

• GWicke claimed this task.Jul 18 2017, 7:46 PM

• GWicke moved this task from next to doing on the Services board.

• GWicke edited projects, added Services (doing); removed Services (next).

Fix at https://github.com/wikimedia/hyperswitch/pull/79.

• GWicke added a project: Patch-For-Review.Jul 18 2017, 8:10 PM

Merged, to be deployed tomorrow.

Deployed, resolving. Thnx @GWicke for the quick fix!

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 19 2017, 8:02 PM

sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:47 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM