Page MenuHomePhabricator

Beta Cluster cross-wiki login request would be blocked by CSP
Closed, ResolvedPublic

Description

I notice the following two errors in the console on Beta Cluster after logging-in.

[Report Only] Refused to load the image 'https://en.wikisource.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Main_Page:147 [Report Only] Refused to load the image 'https://en.wikibooks.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Main_Page:147 [Report Only] Refused to load the image 'https://en.wikiversity.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

These errors are repeated 55 times in total. For each of the entry points CA tries to hit:

Special:CentralAutoLogin/start,
Special:CentralAutoLogin/checkLoggedIn
Special:CentralAutoLogin/createSession
Special:CentralAutoLogin/validateSession
Special:CentralAutoLogin/setCookies

Multiplied by the number of wiki projects.

Event Timeline

Krinkle created this task.Dec 10 2018, 5:23 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 10 2018, 5:23 AM
Krinkle renamed this task from Beta Cluster login.wikimedia request blocked by CORS policy to Beta Cluster cross-wiki login request blocked by CORS policy.Sep 7 2019, 6:20 PM
Krinkle updated the task description. (Show Details)
sbassett triaged this task as Medium priority.Oct 4 2019, 5:16 PM
sbassett moved this task from Incoming to Waiting on the Security-Team board.

@Krinkle - Is this just a logspam/perf issue for now? Two potential solutions:

  1. Relax the img-src (and/or default-src) CSP directive to *.beta.wmflabs.org
  2. Disable CSP reporting for *.beta.wmflabs.org, which is probably overkill, though I'm not certain how useful such reporting is on beta anyways
Krinkle added a comment.EditedOct 4 2019, 5:22 PM

@sbassett These CSP warnings come from configuration intended for (and live in) production. There the config is working correctly and user logins are not reported as violations.

Having this in Beta is useful so that developers know if their code is going to warn in production before it reaches there. QA engineers also tend to look for warnings like this and report them (although not anymore since this noise started – "ignore the console, always contains 385 CSP errors after login").

I don't think it needs to be looser, it just needs to contain the right domain suffixes so that it does the same as prod for Beta. Right now some of the domains are hardcoded for prod and don't work as intended, and some are dynamic in config and do work.

sbassett renamed this task from Beta Cluster cross-wiki login request blocked by CORS policy to Beta Cluster cross-wiki login request blocked by CSP.Oct 7 2019, 4:53 PM
sbassett renamed this task from Beta Cluster cross-wiki login request blocked by CSP to Beta Cluster cross-wiki login request would be blocked by CSP.

Change 541312 had a related patch set uploaded (by SBassett; owner: SBassett):
[operations/mediawiki-config@master] Beta Cluster cross-wiki login request would be blocked by CSP

https://gerrit.wikimedia.org/r/541312

Change 541312 merged by jenkins-bot:
[operations/mediawiki-config@master] [Beta Cluster] Let cross-wiki login requests work when CSP is switched on

https://gerrit.wikimedia.org/r/541312

[operations/mediawiki-config@master] [Beta Cluster] Let cross-wiki login requests work when CSP is switched on

This config change loosens the policy set by the
img-src directive (which is currently not set and thus falling
back to the default-src directive.)

https://gerrit.wikimedia.org/r/541312

Thanks :) There may've been a misunderstanding here. This still applies the unrelated production config to Beta, but with an added exception for img-src specifically. I don't think the Beta Cluster config is meant to be looser or logically from prod. It doesn't have any special needs for it.

The reason it got caught by img-src/default-src rule previously is because it was set to the production hostnames, which beta doesn't need to access. The production configuration whitelists login.wikimedia.org and *.wiktionary.org etc instead of login.beta.wmflabs and *.wiktionary.beta.wmflabs. We already vary these hostnames in the config by realm for other cases, but it wasn't applied here yet. We might want to do that instead here.

Thanks :) There may've been a misunderstanding here. This still applies the unrelated production config to Beta, but with an added exception for img-src specifically. I don't think the Beta Cluster config is meant to be looser or logically from prod. It doesn't have any special needs for it.

Hmm, it still doesn't appear to be working on beta even though r541312 was merged and deployed. I'm still not seeing an img-src directive on any beta sites, so I'm not sure what's going on. And just clicking around, it seems many additional resources are attempting to load under various beta domains, beyond the CentralAuth tracking pixels or whatever they are. I guess I'm not picking up on what you're suggesting: do you want to add the beta site domains to the primary CSP in CommonSettings.php for all relevant directives? Basically wherever there's a *.wikiproject.org now, add the equivalent beta domain? In discussing this with @Jdforrester-WMF yesterday, we opted for the initial separation of the img-src directive to solve the specific problem this bug reports. Which didn't work as the config didn't make it to beta or is being overridden or ignored for some reason, but should solve this specific problem once that issue is resolved.

Yeah, the extension function in -labs seems to be getting run before the main one.

Helps but doesn't fix. Let's try putting the wikis properly into CSPReportOnly mode?

Change 541655 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[operations/mediawiki-config@master] [Beta Cluster] Enable wmgUseCSPReportOnly for all

https://gerrit.wikimedia.org/r/541655

Krinkle added a comment.EditedOct 8 2019, 10:26 PM

Thanks :) There may've been a misunderstanding here. This still applies the unrelated production config to Beta, but with an added exception for img-src specifically. I don't think the Beta Cluster config is meant to be looser or logically from prod. It doesn't have any special needs for it.

[…] I guess I'm not picking up on what you're suggesting: do you want to add the beta site domains to the primary CSP in CommonSettings.php for all relevant directives? Basically wherever there's a *.wikiproject.org now, add the equivalent beta domain?

Almost, "replace with" instead of "add". We don't want to whitelist Beta domains in prod. And, we also don't need to whitelist prod domains in Beta. This list point might be what was causing the confusion. CentralAuth and MediaWiki are set up similarly in Beta as prod (for the most part). So the same conceptual domains should be whitelisted there as in prod. They just have a different domain suffix.

Change 541655 merged by jenkins-bot:
[operations/mediawiki-config@master] [Beta Cluster] Enable wmgUseCSPReportOnly for all

https://gerrit.wikimedia.org/r/541655

Eurgh, no.

I'm going to have to wade through MW's CSP code to work out what's not working.

Tgr added a subscriber: Tgr.Jan 17 2020, 1:35 AM

Requests from the mobile domain to the canonical domain (e.g. cs.m.wikipedia.beta.wmflabs.org -> cs.wikipedia.beta.wmflabs.org) are also faux-blocked. This would affect EventLogging, probably a number of other things too.

Change 571112 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CentralAuth@master] Ensure that CentralAuth lists all domains it contacts in CSP policy

https://gerrit.wikimedia.org/r/571112

Change 571112 merged by jenkins-bot:
[mediawiki/extensions/CentralAuth@master] Ensure that CentralAuth lists all domains it contacts in CSP policy

https://gerrit.wikimedia.org/r/571112

Krinkle removed a subscriber: Krinkle.Mar 16 2020, 9:21 PM
Bawolff closed this task as Resolved.Mar 22 2020, 10:40 PM
Bawolff claimed this task.