Development is blocked, waiting for ??? to resolve T254143: Recommendation api always returns 404 when seed article is not supplied
Content Security Policy (CSP) is a security layer that limits the cross-site connections. As CSP gets increasingly enforced (T244124), this can be an issue for Content Translation since it currently gets suggestions from the recommendation API running on wmflabs.org.
Currently on Wikipedia, when viewing suggestions, we can see this on browser console:
VM39:1 [Report Only] Refused to connect to 'https://recommend.wmflabs.org/types/translation/v1/articles?source=de&target=gu&seed=&search=morelike&application=CX' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
Anticipating that at some point "Report only" will be replaced with a hard block, which will break suggestions if nothing is done, we should ensure that we take measure to keep it working. Possibilities:
- Make recommendation api to a production service (preferred, but no resources?)
- Have recommendation api to be included in the whitelist (need to determine how)
Content Translation gets suggestions from a maintained production service that does not have privacy issues.