Page MenuHomePhabricator

rest api help should not request external things
Closed, ResolvedPublic

Description

When viewing the rest api online docs, swagger tries to call out to:

https://online.swagger.io/validator?url=https://www.mediawiki.org/api/rest_v1/?spec

This call is blocked by CSP. If it went through, this would probably be a violation of the privacy policy. Well its good its getting blocked, CSP should be a check of last resort. The Rest API stuff should not serve things that instruct the browser to fetch external resources.

Event Timeline

Bawolff created this task.Jul 14 2017, 11:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 14 2017, 11:20 PM
GWicke moved this task from next to doing on the Services board.
GWicke edited projects, added Services (doing); removed Services (next).
mobrovac triaged this task as Medium priority.Jul 18 2017, 11:48 PM
mobrovac added a subscriber: mobrovac.

Merged, to be deployed tomorrow.

mobrovac closed this task as Resolved.Jul 19 2017, 7:17 PM
mobrovac edited projects, added Services (done); removed Patch-For-Review, Services (doing).

Deployed, resolving. Thnx @GWicke for the quick fix!

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 19 2017, 8:02 PM
sbassett moved this task from Backlog to Done on the Privacy board.Oct 16 2019, 5:47 PM