Page MenuHomePhabricator
Create Task
Maniphest T214743

Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain)
Closed, ResolvedPublic
Actions

Description

The following error gets logged to console when Code editor is enabled, e.g. on a user .js page:

[Report Only] Refused to create a worker from 'blob:https://en.wikipedia.org/54cbff0d-76ed-46ab-85c9-b2afa7cf84e3' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'". Note that 'worker-src' was not explicitly set, so 'script-src' is used as a fallback.

Since CSP is in Report Only mode, Code editor is still working.

Details

SubjectRepoBranchLines +/-
Make CodeEditor compatible with CSPmediawiki/extensions/CodeEditormaster+3 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Evad37 created this task.Jan 25 2019, 11:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 25 2019, 11:28 PM
Krenair subscribed.Jan 26 2019, 12:41 AM

hm, that doesn't match *.wikipedia.org ?

Krenair added a parent task: T28508: Content Security Policy (CSP).Jan 26 2019, 12:41 AM
Amorymeltzer subscribed.Jan 26 2019, 1:05 AM
Bawolff subscribed.Jan 26 2019, 1:52 AM

hm, that doesn't match *.wikipedia.org ?

No, blob: urls aren't included in generic domains. They have to be whitelisted separately.

AFAIK, allowing blob: urls is equivalent to allowing unsafe-eval (Since the blob uri scheme is a lot like the data: uri scheme). Which is something that ideally we would get rid of in the long term (Ideally there would be no way to dynamically create JS, thus eliminating the risk of JS insertion). Although I suppose that the long term is very far away.

Aklapper renamed this task from Code editor violates Content Security Policy directive to Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).Jan 26 2019, 1:28 PM
Nirmos subscribed.Jan 26 2019, 5:22 PM
gerritbot added a comment.Oct 28 2019, 9:04 AM

Change 546421 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CodeEditor@master] Make CodeEditor compatible with CSP

https://gerrit.wikimedia.org/r/546421

gerritbot added a project: Patch-For-Review.Oct 28 2019, 9:04 AM
gerritbot added a comment.Oct 28 2019, 4:22 PM

Change 546421 merged by jenkins-bot:
[mediawiki/extensions/CodeEditor@master] Make CodeEditor compatible with CSP

https://gerrit.wikimedia.org/r/546421

Jdforrester-WMF closed this task as Resolved.Oct 28 2019, 4:25 PM
Jdforrester-WMF assigned this task to Bawolff.
ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.4; 2019-10-29).Oct 28 2019, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 28 2019, 5:10 PM
TheDJ subscribed.Oct 29 2019, 12:33 PM

FYI, the blob is used to load a JS worker. JS workers cannot be loaded cross domain (no support for CORS). We used to have the JS hosted on the static domain and it required this method to do the loading... (it was actually added to Ace specifically for us, by me). It seems that since Ace updated this worker loading to ALWAYS use a blob.. Not sure why, though commit logs seem to imply to avoid issues on IE..

It seems there is also an upstream option to bypass loading via blob now, using the loadWorkerFromBlob config option.
https://github.com/ajaxorg/ace/commit/30522154a1d7fe37744def3fae4bc3d0a74319bc

We might wanna investigate that.

Bawolff added a comment.Oct 29 2019, 5:01 PM

Interesting. I guess I naively would have assumed workers follow the usually JS loading, where it can execute cross domain but can't read.

It doesn't really matter that much in terms of CSP security - allowing blob, is mostly a form of eval(), and we're already allowing eval for RLStorage.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL