Page MenuHomePhabricator

&banner causes CSP warning
Open, NormalPublic

Description

I was helping Commons POTY design, and when I entered "https://meta.wikimedia.org/w/index.php?title=Tech/News/2014/24/zh&uselang=en&banner=POTY_2017_R2&force=1," my safari (Version 11.1.1(13605.2.8)) started yelling at me with popup: "Content Security Policy violation detected! Tried to load something from https://en.wikipedia.org.".

It kept issuing such warning until they issued a warning to all the domains in my global.js. Visiting the same page without &banner=POTY_2017_R2&force=1 had no problem whatsoever, so it's most likely MediaWiki-extensions-CentralNotice

Related Objects

Event Timeline

revi created this task.Jul 8 2018, 1:16 PM
Reedy added a subscriber: Bawolff.
revi moved this task from Incoming to Radar on the User-revi board.Jul 8 2018, 1:17 PM

The banner is not loading content from enwiki, so this is likely not related. I cannot reproduce the issue in FF (no content loaded from en.wiki). Maybe it is caused by a user script but not related to the banner in question.

revi added a comment.Jul 8 2018, 1:47 PM

The banner is not loading content from enwiki, so this is likely not related. I cannot reproduce the issue in FF (no content loaded from en.wiki). Maybe it is caused by a user script but not related to the banner in question.

Banner content itself doesn't seem problematic, more of the rendering of Safari, I guess.

https://en.wikipedia.org/w/index.php?title=Nut_rage_incident&banner=POTY_2017_R2&force=1&uselang=en loads with Content Security Policy violation detected! Tried to load something from https://www.mediawiki.org.

So this is from the CentralNotice CSP, not the mediawiki CSP we are experimenting with.

Once MW CSP is ready we'll be able to replace the CentralNotice one with that. I plan to put the MediaWiki CSP on the testwiki this week, but it might be a little while before its enforcing everywhere (not sure)

Hi! Just to explain a bit more: CentralNotice specifically adds the CSP header (which warns about external content) when previewing a banner, to help check that banners don't load external resources. This is to protect user privacy, because if you load anything from an external site into a banner, you're sending a lot of user data to that site.

wikipedia.org is whitelisted for most content, but also, I don't see anything in the banner requesting stuff from wikipedia.org.

Here's the full header I'm getting when previewing the banner: default-src *.wikimedia.org *.wikipedia.org *.wiktionary.org *.wikisource.org *.wikibooks.org *.wikiversity.org *.wikiquote.org *.wikinews.org www.mediawiki.org www.wikidata.org *.wikivoyage.org data: blob: 'self'; script-src *.wikimedia.org 'unsafe-inline' 'unsafe-eval' 'self'; style-src *.wikimedia.org data: 'unsafe-inline' 'self';

I don't get the warning when previewing the banner in Firefox or Chromium.

@revi can you please try previewing the banner when logged out, and see if you still get the warning? Maybe the warning is due to a gadget that you're loading from enwiki?

Also, are you able to please open the console in your browser developer tools, and preview the banner while logged in, then copy and paste here the full CSP message that you see in the console?

Thanks much!!!! :)

revi added a comment.Jul 13 2018, 11:53 AM

@revi can you please try previewing the banner when logged out, and see if you still get the warning? Maybe the warning is due to a gadget that you're loading from enwiki?

Obviously, global.js hosts en.wikipedia.org user-script. That sounds the cause.

Also, are you able to please open the console in your browser developer tools, and preview the banner while logged in, then copy and paste here the full CSP message that you see in the console?

Thanks much!!!! :)

P7365