Beta Cluster cross-wiki login request would be blocked by CSP
Closed, ResolvedPublic
Actions

Description

I notice the following two errors in the console on Beta Cluster after logging-in.

[Report Only] Refused to load the image 'https://en.wikisource.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Main_Page:147 [Report Only] Refused to load the image 'https://en.wikibooks.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Main_Page:147 [Report Only] Refused to load the image 'https://en.wikiversity.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

These errors are repeated 55 times in total. For each of the entry points CA tries to hit:

Special:CentralAutoLogin/start,
Special:CentralAutoLogin/checkLoggedIn
Special:CentralAutoLogin/createSession
Special:CentralAutoLogin/validateSession
Special:CentralAutoLogin/setCookies

Multiplied by the number of wiki projects.

Details

Subject	Repo	Branch	Lines +/-
Ensure that CentralAuth lists all domains it contacts in CSP policy	mediawiki/extensions/CentralAuth	master	+98 -5
[Beta Cluster] Enable wmgUseCSPReportOnly for all	operations/mediawiki-config	master	+4 -0
[Beta Cluster] Let cross-wiki login requests work when CSP is switched on	operations/mediawiki-config	master	+14 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	Bawolff	T211539 Beta Cluster cross-wiki login request would be blocked by CSP
Resolved	Bawolff	T244124 Make CSP enforce on beta cluster
Resolved	Bawolff	T246613 Make Sentry extension register its eventgate/sentry end points as CSP sources

Event Timeline

Krinkle created this task.Dec 10 2018, 5:23 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2018, 5:23 AM

Krinkle added projects: Beta-Cluster-reproducible, Beta-Cluster-Infrastructure.Dec 10 2018, 5:24 AM

Krinkle renamed this task from Beta Cluster login.wikimedia request blocked by CORS policy to Beta Cluster cross-wiki login request blocked by CORS policy.Sep 7 2019, 6:20 PM

Krinkle updated the task description. (Show Details)

sbassett subscribed.Sep 9 2019, 2:11 PM

@Krinkle - Is this just a logspam/perf issue for now? Two potential solutions:

Relax the img-src (and/or default-src) CSP directive to *.beta.wmflabs.org
Disable CSP reporting for *.beta.wmflabs.org, which is probably overkill, though I'm not certain how useful such reporting is on beta anyways

@sbassett These CSP warnings come from configuration intended for (and live in) production. There the config is working correctly and user logins are not reported as violations.

Having this in Beta is useful so that developers know if their code is going to warn in production before it reaches there. QA engineers also tend to look for warnings like this and report them (although not anymore since this noise started – "ignore the console, always contains 385 CSP errors after login").

I don't think it needs to be looser, it just needs to contain the right domain suffixes so that it does the same as prod for Beta. Right now some of the domains are hardcoded for prod and don't work as intended, and some are dynamic in config and do work.

sbassett renamed this task from Beta Cluster cross-wiki login request blocked by CORS policy to Beta Cluster cross-wiki login request blocked by CSP.Oct 7 2019, 4:53 PM

sbassett renamed this task from Beta Cluster cross-wiki login request blocked by CSP to Beta Cluster cross-wiki login request would be blocked by CSP.

Change 541312 had a related patch set uploaded (by SBassett; owner: SBassett):
[operations/mediawiki-config@master] Beta Cluster cross-wiki login request would be blocked by CSP

https://gerrit.wikimedia.org/r/541312

gerritbot added a project: Patch-For-Review.Oct 7 2019, 4:59 PM

Change 541312 merged by jenkins-bot:
[operations/mediawiki-config@master] [Beta Cluster] Let cross-wiki login requests work when CSP is switched on

https://gerrit.wikimedia.org/r/541312

Maintenance_bot removed a project: Patch-For-Review.Oct 7 2019, 10:10 PM

In T211539#5553827, @gerritbot wrote:

[operations/mediawiki-config@master] [Beta Cluster] Let cross-wiki login requests work when CSP is switched on

This config change loosens the policy set by the
img-src directive (which is currently not set and thus falling
back to the default-src directive.)

https://gerrit.wikimedia.org/r/541312

Thanks :) There may've been a misunderstanding here. This still applies the unrelated production config to Beta, but with an added exception for img-src specifically. I don't think the Beta Cluster config is meant to be looser or logically from prod. It doesn't have any special needs for it.

The reason it got caught by img-src/default-src rule previously is because it was set to the production hostnames, which beta doesn't need to access. The production configuration whitelists login.wikimedia.org and *.wiktionary.org etc instead of login.beta.wmflabs and *.wiktionary.beta.wmflabs. We already vary these hostnames in the config by realm for other cases, but it wasn't applied here yet. We might want to do that instead here.

Thanks :) There may've been a misunderstanding here. This still applies the unrelated production config to Beta, but with an added exception for img-src specifically. I don't think the Beta Cluster config is meant to be looser or logically from prod. It doesn't have any special needs for it.

Hmm, it still doesn't appear to be working on beta even though r541312 was merged and deployed. I'm still not seeing an img-src directive on any beta sites, so I'm not sure what's going on. And just clicking around, it seems many additional resources are attempting to load under various beta domains, beyond the CentralAuth tracking pixels or whatever they are. I guess I'm not picking up on what you're suggesting: do you want to add the beta site domains to the primary CSP in CommonSettings.php for all relevant directives? Basically wherever there's a *.wikiproject.org now, add the equivalent beta domain? In discussing this with @Jdforrester-WMF yesterday, we opted for the initial separation of the img-src directive to solve the specific problem this bug reports. Which didn't work as the config didn't make it to beta or is being overridden or ignored for some reason, but should solve this specific problem once that issue is resolved.

Yeah, the extension function in -labs seems to be getting run before the main one.

https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/541603 and https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/541604 should help.

Helps but doesn't fix. Let's try putting the wikis properly into CSPReportOnly mode?

Change 541655 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] [Beta Cluster] Enable wmgUseCSPReportOnly for all

https://gerrit.wikimedia.org/r/541655

gerritbot added a project: Patch-For-Review.Oct 8 2019, 10:21 PM

In T211539#5555631, @sbassett wrote:

Thanks :) There may've been a misunderstanding here. This still applies the unrelated production config to Beta, but with an added exception for img-src specifically. I don't think the Beta Cluster config is meant to be looser or logically from prod. It doesn't have any special needs for it.

[…] I guess I'm not picking up on what you're suggesting: do you want to add the beta site domains to the primary CSP in CommonSettings.php for all relevant directives? Basically wherever there's a *.wikiproject.org now, add the equivalent beta domain?

Almost, "replace with" instead of "add". We don't want to whitelist Beta domains in prod. And, we also don't need to whitelist prod domains in Beta. This list point might be what was causing the confusion. CentralAuth and MediaWiki are set up similarly in Beta as prod (for the most part). So the same conceptual domains should be whitelisted there as in prod. They just have a different domain suffix.

Krinkle added a project: Performance-Team (Radar).Oct 9 2019, 8:00 PM

Krinkle moved this task from Limbo to Watching on the Performance-Team (Radar) board.

Change 541655 merged by jenkins-bot:
[operations/mediawiki-config@master] [Beta Cluster] Enable wmgUseCSPReportOnly for all

https://gerrit.wikimedia.org/r/541655

Maintenance_bot removed a project: Patch-For-Review.Oct 10 2019, 10:11 PM

Eurgh, no.

I'm going to have to wade through MW's CSP code to work out what's not working.

Jdforrester-WMF added a project: ContentSecurityPolicy.Dec 17 2019, 3:35 PM

Requests from the mobile domain to the canonical domain (e.g. cs.m.wikipedia.beta.wmflabs.org -> cs.wikipedia.beta.wmflabs.org) are also faux-blocked. This would affect EventLogging, probably a number of other things too.

Bawolff added a subtask: T244124: Make CSP enforce on beta cluster.Feb 3 2020, 11:23 AM

Jdforrester-WMF mentioned this in T244124: Make CSP enforce on beta cluster.Feb 3 2020, 10:16 PM

Change 571112 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@master] Ensure that CentralAuth lists all domains it contacts in CSP policy

https://gerrit.wikimedia.org/r/571112

gerritbot added a project: Patch-For-Review.Feb 10 2020, 5:14 AM

Change 571112 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Ensure that CentralAuth lists all domains it contacts in CSP policy

https://gerrit.wikimedia.org/r/571112

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.21; 2020-02-25).Feb 18 2020, 8:00 PM

Maintenance_bot removed a project: Patch-For-Review.Feb 18 2020, 8:10 PM

Jdforrester-WMF closed subtask T244124: Make CSP enforce on beta cluster as Resolved.Mar 16 2020, 5:41 PM

Krinkle unsubscribed.Mar 16 2020, 9:21 PM

Bawolff closed this task as Resolved.Mar 22 2020, 10:40 PM

Bawolff claimed this task.