Page MenuHomePhabricator
Create Task
Maniphest T220475

XTools' ArticleInfo gadget will be blocked by CSP
Open, Stalled, LowPublic
Actions

Description

When the gadget is ran, this error appears in my console:

[Report Only] Refused to connect to 'https://xtools.wmflabs.org/api/page/articleinfo/en.wikipedia.org/MediaWiki:Gadget-XTools-ArticleInfo.js?format=html&uselang=en' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Related Objects
Search...

Event Timeline

TerraCodes created this task.Apr 9 2019, 7:48 AM
TerraCodes updated the task description. (Show Details)
MusikAnimal moved this task from Backlog to General / other on the XTools board.Apr 9 2019, 3:50 PM
MusikAnimal subscribed.

Indeed :( There is talk for users to be able to selectively whitelist certain external domains, in this case xtools.wmflabs.org. Or, we could rewrite the script to work entirely off of the MediaWiki APi, but this will make it much slower and we might have to lose some functionality.

Amorymeltzer subscribed.Apr 9 2019, 4:04 PM
Danmichaelo mentioned this in T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?.May 19 2019, 6:08 PM
Quiddity added a subtask: T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?.Jul 7 2019, 5:08 AM
AlanM1 subscribed.Nov 30 2019, 5:12 AM
Bawolff closed subtask T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy? as Declined.Dec 9 2019, 4:16 PM
MusikAnimal triaged this task as Low priority.Mar 4 2021, 5:48 AM
MusikAnimal changed the task status from Open to Stalled.Jun 22 2021, 4:59 AM

Unactionable at this time.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits