Page MenuHomePhabricator

JSDuck at loads fonts from google
Open, Needs TriagePublic


Generally loading external resources isn't cool.

If you look at the bottom of

<script type="text/javascript">
  var protocol = (document.location.protocol === "https:") ? "https:" : "http:";
  document.write("<link href='"+protocol+"//' rel='stylesheet' type='text/css' />");

Event Timeline

Bawolff created this task.Jan 9 2019, 1:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2019, 1:32 PM
Reedy added a comment.Jan 10 2019, 1:40 PM

Upstream basically saying it's unmaintained... Filed T213428 as to work out what we do about using it in our infrastructure

I guess worst case scenario, we could add a post-processing step

The task to fix/replace JSDuck specifically, is T138401.

The general task to make sure auto-generated docs technically cannot establish third-party connections is T213223. The CSP policy will make sure that even if individual teams forget to think about this when adopting some new tool, or if an upstream library is updated and introduces a regression of this kind, that it won't hurt us.

Between those two, I think this task is covered, and could be closed in favour of those two.

T213223 applied a CSP policy on and is now blocked by browser supporting CSP. So I guess it is enough to mark this resolved?

(T213223 got partially reverted hence this task is still open)