Page MenuHomePhabricator

Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain)
Open, Needs TriagePublic

Description

The following error gets logged to console when Code editor is enabled, e.g. on a user .js page:

[Report Only] Refused to create a worker from 'blob:https://en.wikipedia.org/54cbff0d-76ed-46ab-85c9-b2afa7cf84e3' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Since CSP is in Report Only mode, Code editor is still working.

Event Timeline

Evad37 created this task.Jan 25 2019, 11:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 25 2019, 11:28 PM

hm, that doesn't match *.wikipedia.org ?

hm, that doesn't match *.wikipedia.org ?

No, blob: urls aren't included in generic domains. They have to be whitelisted separately.

AFAIK, allowing blob: urls is equivalent to allowing unsafe-eval (Since the blob uri scheme is a lot like the data: uri scheme). Which is something that ideally we would get rid of in the long term (Ideally there would be no way to dynamically create JS, thus eliminating the risk of JS insertion). Although I suppose that the long term is very far away.

Aklapper renamed this task from Code editor violates Content Security Policy directive to Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).Jan 26 2019, 1:28 PM
Nirmos added a subscriber: Nirmos.Jan 26 2019, 5:22 PM