Page MenuHomePhabricator

Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain)
Closed, ResolvedPublic

Description

The following error gets logged to console when Code editor is enabled, e.g. on a user .js page:

[Report Only] Refused to create a worker from 'blob:https://en.wikipedia.org/54cbff0d-76ed-46ab-85c9-b2afa7cf84e3' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Since CSP is in Report Only mode, Code editor is still working.

Event Timeline

Evad37 created this task.Jan 25 2019, 11:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 25 2019, 11:28 PM

hm, that doesn't match *.wikipedia.org ?

hm, that doesn't match *.wikipedia.org ?

No, blob: urls aren't included in generic domains. They have to be whitelisted separately.

AFAIK, allowing blob: urls is equivalent to allowing unsafe-eval (Since the blob uri scheme is a lot like the data: uri scheme). Which is something that ideally we would get rid of in the long term (Ideally there would be no way to dynamically create JS, thus eliminating the risk of JS insertion). Although I suppose that the long term is very far away.

Aklapper renamed this task from Code editor violates Content Security Policy directive to Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).Jan 26 2019, 1:28 PM
Nirmos added a subscriber: Nirmos.Jan 26 2019, 5:22 PM

Change 546421 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CodeEditor@master] Make CodeEditor compatible with CSP

https://gerrit.wikimedia.org/r/546421

Change 546421 merged by jenkins-bot:
[mediawiki/extensions/CodeEditor@master] Make CodeEditor compatible with CSP

https://gerrit.wikimedia.org/r/546421

Jdforrester-WMF closed this task as Resolved.Oct 28 2019, 4:25 PM
Jdforrester-WMF assigned this task to Bawolff.
TheDJ added a subscriber: TheDJ.Oct 29 2019, 12:33 PM

FYI, the blob is used to load a JS worker. JS workers cannot be loaded cross domain (no support for CORS). We used to have the JS hosted on the static domain and it required this method to do the loading... (it was actually added to Ace specifically for us, by me). It seems that since Ace updated this worker loading to ALWAYS use a blob.. Not sure why, though commit logs seem to imply to avoid issues on IE..

It seems there is also an upstream option to bypass loading via blob now, using the loadWorkerFromBlob config option.
https://github.com/ajaxorg/ace/commit/30522154a1d7fe37744def3fae4bc3d0a74319bc

We might wanna investigate that.

Interesting. I guess I naively would have assumed workers follow the usually JS loading, where it can execute cross domain but can't read.

It doesn't really matter that much in terms of CSP security - allowing blob, is mostly a form of eval(), and we're already allowing eval for RLStorage.