Page MenuHomePhabricator
Create Task
Maniphest T220475

XTools' ArticleInfo gadget will be blocked by CSP
Open, MediumPublic
Actions

Description

When the gadget is ran, this error appears in my console:

[Report Only] Refused to connect to 'https://xtools.wmflabs.org/api/page/articleinfo/en.wikipedia.org/MediaWiki:Gadget-XTools-ArticleInfo.js?format=html&uselang=en' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow toolforge APIs in enforced CSP modeoperations/mediawiki-configmaster+10 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

TerraCodes created this task.Apr 9 2019, 7:48 AM
TerraCodes updated the task description. (Show Details)
MusikAnimal moved this task from Backlog to General / other on the XTools board.Apr 9 2019, 3:50 PM
MusikAnimal subscribed.

Indeed :( There is talk for users to be able to selectively whitelist certain external domains, in this case xtools.wmflabs.org. Or, we could rewrite the script to work entirely off of the MediaWiki APi, but this will make it much slower and we might have to lose some functionality.

Amorymeltzer subscribed.Apr 9 2019, 4:04 PM
Danmichaelo mentioned this in T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?.May 19 2019, 6:08 PM
Quiddity added a subtask: T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?.Jul 7 2019, 5:08 AM
AlanM1 subscribed.Nov 30 2019, 5:12 AM
Bawolff closed subtask T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy? as Declined.Dec 9 2019, 4:16 PM
MusikAnimal triaged this task as Low priority.Mar 4 2021, 5:48 AM
MusikAnimal changed the task status from Open to Stalled.Jun 22 2021, 4:59 AM

Unactionable at this time.

Alien333 subscribed.Jun 5 2025, 7:37 AM

Welp, T135963 looks pretty stalled to me, so at any rate we're not in trouble yet.

Sdkb mentioned this in T401360: Display low numbers of page watchers to admins in XTools and ArticleInfo gadget.Aug 6 2025, 11:14 PM
gerritbot added a comment.Mar 5 2026, 7:14 PM

Change #1248574 had a related patch set uploaded (by Krinkle; author: Krinkle):

[operations/mediawiki-config@master] Allow toolforge APIs in enforced CSP mode

https://gerrit.wikimedia.org/r/1248574

gerritbot added a project: Patch-For-Review.Mar 5 2026, 7:14 PM
gerritbot added a comment.Mar 5 2026, 7:56 PM

Change #1248574 merged by jenkins-bot:

[operations/mediawiki-config@master] Allow toolforge APIs in enforced CSP mode

https://gerrit.wikimedia.org/r/1248574

Stashbot mentioned this in T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.Mar 5 2026, 7:56 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-05T19:56:49Z] <krinkle@deploy2002> Started scap sync-world: Backport for [[gerrit:1248574|Allow toolforge APIs in enforced CSP mode (T135963 T419137 T220475)]]

Stashbot added a comment.Mar 5 2026, 7:58 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-05T19:58:55Z] <krinkle@deploy2002> krinkle: Backport for [[gerrit:1248574|Allow toolforge APIs in enforced CSP mode (T135963 T419137 T220475)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Mar 5 2026, 8:04 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-05T20:04:27Z] <krinkle@deploy2002> Finished scap sync-world: Backport for [[gerrit:1248574|Allow toolforge APIs in enforced CSP mode (T135963 T419137 T220475)]] (duration: 07m 37s)

MusikAnimal added a subscriber: Krinkle.EditedMar 5 2026, 8:05 PM

@Krinkle Are we permanently allowlisted now or what? I do realize there's still T299855: XTools ArticleInfo gadget should not execute WMCS HTML which we can look into.

Of importance, the vast majority of uses of the XTools PageInfo gadget/endpoint are from end users loading it in their personal JS, which uses an HTML API, not JSON.

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2026, 8:31 PM
MusikAnimal added a comment.Mar 5 2026, 9:05 PM

I've confirmed with Krinkle the gadget won't break (yet). But we should start moving things to the MediaWiki namespace, and properly gadget-ize it, similar to what was done for MoreMenu and Krinkle's RTRC gadgets. And also resolve T299855.

MusikAnimal changed the task status from Stalled to Open.Mar 5 2026, 9:05 PM
MusikAnimal raised the priority of this task from Low to Medium.
MusikAnimal mentioned this in T299855: XTools ArticleInfo gadget should not execute WMCS HTML.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits