Use data attributes instead of unsafe-inline var definitions within Quarry template files
Open, LowPublic
Actions

Assigned To

None

Authored By

	Framawiki
	Feb 20 2019, 8:05 PM

Description

Currently query variables are declared using inline var in <script> directly in html page.

As said by @Bawolff in https://gerrit.wikimedia.org/r/c/operations/puppet/+/491377:

As an aside, this tool is very close to be able to get rid of unsafe-inline (Which improves the anti-xss properties of CSP significantly). At a very quick glance, looks like the only thing that uses it is the "var vars =" script block. In principle that could be replaced with a data attribute or meta tag, which would allow getting rid of the unsafe-inline.

For example we can use data attributes on body element.

Event Timeline

Framawiki created this task.Feb 20 2019, 8:05 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 20 2019, 8:05 PM

sbassett renamed this task from Use data attributes instead of unsafe-inline var definitions to Use data attributes instead of unsafe-inline var definitions within Quarry template files.Feb 21 2019, 5:13 PM

sbassett triaged this task as Low priority.

I should emphasize of course, that quarry has a very low risk profile, so its really not worth worrying too much (As much as I love better security for security's sake). Worse case scenario (that i can think of) is someone uses an XSS in quarry as part of a phising scheme, or someone tries to make queries with naughy content under someone else's name. Neither are particularly high impact threats.

• chasemp added a project: Security.Feb 10 2020, 11:00 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM

Use data attributes instead of unsafe-inline var definitions within Quarry template filesOpen, LowPublicActions

Description

Event Timeline

Use data attributes instead of unsafe-inline var definitions within Quarry template files
Open, LowPublic
Actions