Page MenuHomePhabricator

Check for maps features that might be affected with CSP policy
Open, MediumPublic

Description

As per https://lists.wikimedia.org/pipermail/wikitech-ambassadors/2018-October/001994.html

Just a heads up, we're enabling CSP in report only mode on wikis. This
means if you are loading external resources in your user scripts, you might
get an error in your javascript console. Don't panic, so far we are only
enabling report only, and will of course give people notice before actually
enabling it enforcing. At this stage we are just gathering information on
what the impact of CSP would be on the wikis and what sort of external
javascript is used in practise.
That said, if you are loading externally hosted javascript from your user
JS page, we strongly suggest you do not do this for security reasons.

Check which features under the maps stack might be affected with the CSP policy

Original task: T207900: Enable csp-report-only mode everywhere

Details

Related Gerrit Patches:

Event Timeline

MSantos created this task.Dec 14 2018, 1:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2018, 1:20 PM
LGoto added a subscriber: LGoto.

@MSantos what's the priority on this?

MSantos triaged this task as Medium priority.EditedDec 19 2018, 4:58 PM

@LGoto I will triage it as normal but Michael and I will revisit it tomorrow on Maps grooming. Thanks for noticing!

Mholloway updated the task description. (Show Details)Dec 20 2018, 7:19 PM

@Bawolff the CSP affects Wikivoyage as described above, I would like to ask: how do you think we should do deal with that?

So reading a bit more about how wikivoyage works, I think i have a bit of a better understanding. I think ideally the wikivoyage additional tileservers would be defined in an extension (Maybe an extension to Maps, with a hook in maps if you want to keep that separate), so that they could grant additional CSP exceptions to the system.

If all else fails, we could whitelist those domains across all of WikiVoyage, but I'd prefer to avoid that if possible since they are external domains.

My ideal fantasy solution would be to have a proxy server in front of all this, so no external requests are made, but I don't know how practical that is.

Change 572627 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Kartographer@master] Allow setting additional sources for maps (For wikivoyage alt layers)

https://gerrit.wikimedia.org/r/572627