Page MenuHomePhabricator

Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain)
Closed, ResolvedPublic


The following error gets logged to console when Code editor is enabled, e.g. on a user .js page:

[Report Only] Refused to create a worker from 'blob:' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' * * * * * * * * * * * 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Since CSP is in Report Only mode, Code editor is still working.

Event Timeline

hm, that doesn't match * ?

hm, that doesn't match * ?

No, blob: urls aren't included in generic domains. They have to be whitelisted separately.

AFAIK, allowing blob: urls is equivalent to allowing unsafe-eval (Since the blob uri scheme is a lot like the data: uri scheme). Which is something that ideally we would get rid of in the long term (Ideally there would be no way to dynamically create JS, thus eliminating the risk of JS insertion). Although I suppose that the long term is very far away.

Aklapper renamed this task from Code editor violates Content Security Policy directive to Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).Jan 26 2019, 1:28 PM

Change 546421 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CodeEditor@master] Make CodeEditor compatible with CSP

Change 546421 merged by jenkins-bot:
[mediawiki/extensions/CodeEditor@master] Make CodeEditor compatible with CSP

FYI, the blob is used to load a JS worker. JS workers cannot be loaded cross domain (no support for CORS). We used to have the JS hosted on the static domain and it required this method to do the loading... (it was actually added to Ace specifically for us, by me). It seems that since Ace updated this worker loading to ALWAYS use a blob.. Not sure why, though commit logs seem to imply to avoid issues on IE..

It seems there is also an upstream option to bypass loading via blob now, using the loadWorkerFromBlob config option.

We might wanna investigate that.

Interesting. I guess I naively would have assumed workers follow the usually JS loading, where it can execute cross domain but can't read.

It doesn't really matter that much in terms of CSP security - allowing blob, is mostly a form of eval(), and we're already allowing eval for RLStorage.