Page MenuHomePhabricator

Gadget with SPARQL services and the Content Security Policy ?
Open, Needs TriagePublic



I develop several gadgets (demonstrators) with Wikidata and other SPARQL services...

Now all SPARQL request are refused.

Refused to connect to '<URL>' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: <URL> * * * * * * * * * * *". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

How to develop a gadget with SPARQL services, now ? Is it possible to add a whitelist of URL in wikimedia for personal gadgets ?


Event Timeline

Karima created this task.Oct 30 2018, 4:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 30 2018, 4:42 PM

What other sparql services do the gadgets speak to?

Karima added a comment.EditedOct 31 2018, 10:43 AM

For example, a SPARQL service of one university:
Another example, a SPARQL service of a laboratory:

Are they setup as part of the wdqs to allow federation?
If they are in theory you could proxy all requests via the wdqs?
Thoughts @Smalyshev ?

EBjune added a subscriber: EBjune.Oct 31 2018, 7:12 PM

Just FYI @Addshore , Smalyshev is on vacation until Nov. 6


So is allowed from the CSP policy.

For other domains, we are planning to have a process where individual users can specify that they allow other sources. The details aren't entirely worked out yet, but some sort of solution to this problem will definitely be done (See T208188 for details)

Not sure where that error is coming from - SPARQL responses have access-control-allow-origin: *. Maybe it's something in Mediawiki settings?