https://en.wikipedia.org/api/rest_v1/page/mobile-html/Foobar doesn't load correctly yet because of CSP issues.
It doesn't load the pagelib JavaScript bundle, and complains about the site specific CSS and the inline CSS. I don't see any complaints about the base CSS in the console but then I also don't see any of it used when inspecting a reference.
From Chrome DevTools console:
Refused to load the script 'https://meta.wikimedia.org/api/rest_v1/data/javascript/mobile/pagelib' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. Refused to apply inline style because it violates the following Content Security Policy directive: "style-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-6FWIojjtZwiNizws7ImlHjGH3DA5yMh5x4c+/4UVpXk='), or a nonce ('nonce-...') is required to enable inline execution. [...]
Comparing mobile-html CSP with the one from Parsoid
- mobile-html:
content-security-policy: default-src 'self'; object-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'
- html:
content-security-policy: default-src 'none'; media-src *; img-src *; style-src http://*.wikipedia.org https://*.wikipedia.org 'unsafe-inline';frame-ancestors 'self'
I think even if we used the Parsoid CSP header we would probably be missing the script-src one. We might need to set our own one, unless someone has a better idea.