Page MenuHomePhabricator

mobile-html CSP issues
Closed, ResolvedPublic

Description

https://en.wikipedia.org/api/rest_v1/page/mobile-html/Foobar doesn't load correctly yet because of CSP issues.

It doesn't load the pagelib JavaScript bundle, and complains about the site specific CSS and the inline CSS. I don't see any complaints about the base CSS in the console but then I also don't see any of it used when inspecting a reference.

From Chrome DevTools console:

Refused to load the script 'https://meta.wikimedia.org/api/rest_v1/data/javascript/mobile/pagelib' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-6FWIojjtZwiNizws7ImlHjGH3DA5yMh5x4c+/4UVpXk='), or a nonce ('nonce-...') is required to enable inline execution.

[...]

Comparing mobile-html CSP with the one from Parsoid

  • mobile-html:
content-security-policy: default-src 'self'; object-src 'none'; media-src *; img-src *; style-src *; frame-ancestors 'self'
  • html:
content-security-policy: default-src 'none'; media-src *; img-src *; style-src http://*.wikipedia.org https://*.wikipedia.org 'unsafe-inline';frame-ancestors 'self'

I think even if we used the Parsoid CSP header we would probably be missing the script-src one. We might need to set our own one, unless someone has a better idea.

Event Timeline

bearND triaged this task as High priority.Jul 26 2018, 8:05 PM
bearND created this task.

Change 449632 had a related patch set uploaded (by BearND; owner: BearND):
[mediawiki/services/mobileapps@master] mobile-html: set custom CSP header

https://gerrit.wikimedia.org/r/449632

Change 449632 merged by jenkins-bot:
[mediawiki/services/mobileapps@master] mobile-html: set custom CSP header

https://gerrit.wikimedia.org/r/449632

Jdforrester-WMF removed a project: Patch-For-Review.
Jdforrester-WMF added a subscriber: Jdforrester-WMF.

First patch merged, just needs the data: bit fixed.

Change 449801 had a related patch set uploaded (by BearND; owner: BearND):
[mediawiki/services/mobileapps@master] mobile-html: CSP: allow data: URIs

https://gerrit.wikimedia.org/r/449801

Change 449801 merged by jenkins-bot:
[mediawiki/services/mobileapps@master] mobile-html: CSP: allow data: URIs

https://gerrit.wikimedia.org/r/449801

Mentioned in SAL (#wikimedia-operations) [2018-08-01T20:04:19Z] <bsitzmann@deploy1001> Started deploy [mobileapps/deploy@c2448e0]: Update mobileapps to 282f368 (T200464 T200459)

Mentioned in SAL (#wikimedia-operations) [2018-08-01T20:10:02Z] <bsitzmann@deploy1001> Finished deploy [mobileapps/deploy@c2448e0]: Update mobileapps to 282f368 (T200464 T200459) (duration: 05m 42s)

Jhernandez closed this task as Resolved.Aug 6 2018, 11:43 AM