Page MenuHomePhabricator

JSDuck at doc.wikimedia.org loads fonts from google
Closed, ResolvedPublic

Description

Generally loading external resources isn't cool.

If you look at the bottom of https://doc.wikimedia.org/mediawiki-core/master/js/

<script type="text/javascript">
(function(){
  var protocol = (document.location.protocol === "https:") ? "https:" : "http:";
  document.write("<link href='"+protocol+"//fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css' />");
})();
</script>

Related Objects

Event Timeline

Upstream basically saying it's unmaintained... Filed T213428 as to work out what we do about using it in our infrastructure

I guess worst case scenario, we could add a post-processing step

The task to fix/replace JSDuck specifically, is T138401.

The general task to make sure auto-generated docs technically cannot establish third-party connections is T213223. The CSP policy will make sure that even if individual teams forget to think about this when adopting some new tool, or if an upstream library is updated and introduces a regression of this kind, that it won't hurt us.

Between those two, I think this task is covered, and could be closed in favour of those two.

T213223 applied a CSP policy on doc.wikimedia.org and fonts.googleapis.com is now blocked by browser supporting CSP. So I guess it is enough to mark this resolved?

(T213223 got partially reverted hence this task is still open)

Jdlrobson added a subscriber: Jdlrobson.

please use jsdoc rather than fixing this (see T138401)

Not fixed until that task is done.

Jdlrobson changed the task status from Open to Stalled.Mar 15 2021, 6:28 PM

on completion of T138401.

hashar claimed this task.

That is fixed by applying a CSP rule which leads to:

Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.googleapis.com/css?family=Exo (“style-src”).

That was done via T213223