Page MenuHomePhabricator

CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox)
Closed, ResolvedPublic

Description

On https://www.mediawiki.org/wiki/MediaWiki?debug=false&safemode=1, both Chrome 67 and Safari 11.1 trigger CSP warnings. Firefox 61 doesn't trigger the warning, however.

Chrome blames document.head.appendChild(script);; Safari doesn't seem to tell me what code is at fault, but I assume it's the same thing?

Details

Event Timeline

Jdforrester-WMF triaged this task as Medium priority.Jun 11 2018, 4:15 PM
Jdforrester-WMF created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 11 2018, 4:15 PM

Issue appears to be due to usage of domEval() (i.e. new verison of $.globalEval())

The CSP rules permit eval(), but not by injecting script tags as we currently do (Without adding a nonce).

For our initial deployment we are planning to disable nonce's anyways, which takes care of this problem. But later on, I guess look into dynamically providing the nonces.

Vvjjkkii renamed this task from CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox) to 88aaaaaaaa.Jul 1 2018, 1:04 AM
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.

Change 443357 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Ensure that ContentSecurityPolicy works with RL storage

https://gerrit.wikimedia.org/r/443357

CommunityTechBot renamed this task from 88aaaaaaaa to CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox).Jul 2 2018, 9:33 AM
CommunityTechBot lowered the priority of this task from High to Medium.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot edited subscribers, added: Aklapper; removed: gerritbot.
Restricted Application added a project: Performance-Team. · View Herald TranscriptJul 5 2018, 9:17 PM
Krinkle updated the task description. (Show Details)Jul 9 2018, 8:07 PM

Change 443357 merged by jenkins-bot:
[mediawiki/core@master] resourceloader: Give module eval the ContentSecurityPolicy nonce

https://gerrit.wikimedia.org/r/443357

Change 452572 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@wmf/1.32.0-wmf.16] resourceloader: Give module eval the ContentSecurityPolicy nonce

https://gerrit.wikimedia.org/r/452572

Change 452572 merged by Brian Wolff:
[mediawiki/core@wmf/1.32.0-wmf.16] resourceloader: Give module eval the ContentSecurityPolicy nonce

https://gerrit.wikimedia.org/r/452572