Steps to Reproduce:
Install Firefox
Open https://commons.wikimedia.org/wiki/Category:Conifer_leaves
Open browser console (in tools, web developer menu)
Clear console
Click "good pictures"
Actual Results:
"Content Security Policy: The page’s settings observed the loading of a resource at https://fastcci1.wmflabs.org/?c1=1685819&d1=15&s=200&a=fqv (“default-src”). A CSP report is being sent." in the browser console
Expected Results:
I see list of good pictures
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | BUG REPORT | TheDJ | T227162 Selecting "Good Pictures" button in Commons categories does not do anything (due to HTTP 502 error on http://fastcci1.wmflabs.org) | ||
| Declined | None | T223840 Can/should *.wmflabs.org be added to the default-src Content Security Policy? |
In case that it is not reproducible by other with default browser setup I am willing to make more extensive tests.
For now it seems to me like error not caused by some of settings that I changed (given breakage on a plain Chromium with default settings).
Digging around I found T207900 and https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/481206/
I'm able to reproduce this in Firefox. I see these headers:
content-security-policy-report-only: script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: https://upload.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org; style-src 'self' data: blob: https://upload.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&
Shouldn't wmflabs.org be in that list? @Krinkle can you have a look at this?
I don't think this is related to CSP. The server now doesn't respond at all for me, not even via curl. I get a 502 bad gateway after about 10 seconds or something.
curl -v "https://fastcci1.wmflabs.org/?c1=1685819&d1=15&s=200&a=fqv"
and
curl -v "http://fastcci1.wmflabs.org/status"
The CSP report is still a soft warning. wmflabs indeed does not belong in its whitelist by default. However before CSP will be enforced, indeed there will be a way for users and/or gadgets to add additional origins. This is unrelated to the issue at hand, however.
[Error] Origin https://commons.wikimedia.org is not allowed by Access-Control-Allow-Origin.
[Error] XMLHttpRequest cannot load https://fastcci2.wmflabs.org/?c1=1685819&d1=15&s=200&a=fqv due to access control checks.
[Error] Failed to load resource: Origin https://commons.wikimedia.org is not allowed by Access-Control-Allow-Origin. (fastcci2.wmflabs.org, line 0)
fastcci.wmflabs.org doesn't appear to be online. gives 500s
I think that is a project by @dschwen ? I believe he is a bit busy these days..