Page MenuHomePhabricator

XTools' ArticleInfo gadget will be blocked by CSP
Open, Needs TriagePublic

Description

When the gadget is ran, this error appears in my console:

[Report Only] Refused to connect to 'https://xtools.wmflabs.org/api/page/articleinfo/en.wikipedia.org/MediaWiki:Gadget-XTools-ArticleInfo.js?format=html&uselang=en' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Event Timeline

TerraCodes updated the task description. (Show Details)
MusikAnimal moved this task from Inbox to Other on the XTools board.Apr 9 2019, 3:50 PM
MusikAnimal added a subscriber: MusikAnimal.

Indeed :( There is talk for users to be able to selectively whitelist certain external domains, in this case xtools.wmflabs.org. Or, we could rewrite the script to work entirely off of the MediaWiki APi, but this will make it much slower and we might have to lose some functionality.