Page MenuHomePhabricator

Allow app:// protocol in mobile-html CSP headers
Closed, ResolvedPublic

Description

From T217348#5002107:
The issue we're running into with the current implementation is that the x-content-security-policy header excludes custom schemes for script-src and style-src. Could they be updated to be less restrictive? The [iOS] app works with the app:// scheme URLs added:

...script-src app://meta.wikimedia.org  https://meta.wikimedia.org 'unsafe-inline'; style-src app://meta.wikimedia.org https://meta.wikimedia.org app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline';...

Event Timeline

bearND created this task.Mar 12 2019, 7:33 PM
bearND triaged this task as Normal priority.Mar 12 2019, 7:47 PM
MSantos claimed this task.Mar 13 2019, 1:05 PM
MSantos updated the task description. (Show Details)Mar 13 2019, 3:18 PM

Change 496191 had a related patch set uploaded (by MSantos; owner: MSantos):
[mediawiki/services/mobileapps@master] Allow app:// protocol in mobile-html CSP headers

https://gerrit.wikimedia.org/r/496191

Change 496191 merged by jenkins-bot:
[mediawiki/services/mobileapps@master] Allow app:// protocol in mobile-html CSP headers

https://gerrit.wikimedia.org/r/496191

Deployed a few minutes ago deploy/2019-03-13/5f8e4e61.

MSantos closed this task as Resolved.Fri, Apr 12, 4:37 PM