Page MenuHomePhabricator

CentralNotice - CSP overreach
Open, Needs TriagePublic


The new CSP for CN is a little overreaching. It is being triggered everytime I ever preview a banner since it is now being triggered anytime that any javascript loaded from anywhere other than the page. This includes:

  • Any gadget
  • Any personal javascript I use on my account
  • In browser tools such as page translations for google translate.

The latter is a significant issue since I can no longer use the tool to confirm localising banner functionality is correct since it suppresses the necessary script from running.

Event Timeline

Jseddon created this task.Apr 29 2018, 12:42 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2018, 12:42 AM
Jseddon updated the task description. (Show Details)Apr 29 2018, 12:45 AM
Jseddon added subscribers: DStrine, AndyRussG.

@Jseddon Thanks!!

Regarding personal javascript, you mean in User:YourUserName/common.js, right?

For the point on browser tools, you mean the automatic page translation in Chrome? I just tried using that to translate a banner preview, and CSP did indeed flag an error. I wonder if there's something we can do about that? The tool is indeed injecting an external resource into the page.

The script is called from common.js but is stored in another subpage. I actually have move it since to prevent it being an issue which is how I discovered the other issues.

Indeed, I have the google translate extension installed which I use to translate of my own choosing (specifically cause I generally have the chrome auto translate function turned off since it often translates when I dont want it to)

Ejegg added a subscriber: Ejegg.Apr 29 2018, 3:43 AM

Hmm, this sounds like it would require a per-user setting to whitelist certain sources

Base added a subscriber: Base.Apr 29 2018, 9:56 AM
Ejegg added a comment.Apr 30 2018, 7:38 PM

Also: check if the report-only version of the header still lets us catch the sources

Vvjjkkii renamed this task from CentralNotice - CSP overreach to z0daaaaaaa.Jul 1 2018, 1:13 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from z0daaaaaaa to CentralNotice - CSP overreach.Jul 2 2018, 4:34 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot added a subscriber: Aklapper.

Hi! There is a workaround for Firefox that lets you turn of CSP entirely. I'd suggest only using it in a special browser profile that you would set up for that purpose.

Eventually this will become a core issue rather than a CN one, once CSP is activated for all WMF wikis. Currently testwiki does emite CSP headers.

The CN header seems more restrictive and less complete than the header sent by the core code on testwiki.

CentralNotice CSP header:

default-src * * * * * * * * * data: blob: 'self'; script-src * 'unsafe-inline' 'unsafe-eval' 'self'; style-src * data: 'unsafe-inline' 'self';

Testwiki CSP header:

script-src 'unsafe-eval' 'self' 'nonce-RWQ/6u579GboaQeF7BdZ' 'unsafe-inline' * * * * * * * *; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&

@Bawolff, @Ejegg, can and should we switch CN to using the core header, or maybe the core code? Looks like it might work better with gadgets and user scripts (provided those don't load external stuff themselves)?

We may be adjusting the core csp header
Its kind of rediculously long. We also plan on disabling nonces in the initial rollout. So the core stuff should be considered to be in flux

So the core stuff should be considered to be in flux

OK thanks...!!! Do you know if, as it is, it allows gadgets and user scripts?

OK thanks...!!! Do you know if, as it is, it allows gadgets and user scripts?

At the moment, it adds a nonce option. This is compatible with some user scripts but not all. We are planning to remove the nonce option from WMF deploys (patch just got merged), so once that's gone it should be compatible with most user scripts. So just remove the 'nonce-RWQ/6u579GboaQeF7BdZ' part (The number changes on every request).

Some people have scripts that load external resources, those will break.