Page MenuHomePhabricator

Use CSP headers from backend even when stored payload is served
Closed, ResolvedPublic

Description

mobile-html uses a special CSP header but RB seems to fall back to a default header for all when using stored responses.
RB should store and use those CSP headers.

Example: https://en.wikipedia.org/api/rest_v1/page/mobile-html/Cat
I'm getting now:

default-src 'none'; media-src *; img-src *; style-src http://*.wikipedia.org https://*.wikipedia.org;frame-ancestors 'self'

PCS sends a different CSP header:

default-src 'none'; connect-src https://*.wikipedia.org; media-src *; img-src * data:; script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; style-src app://meta.wikimedia.org https://meta.wikimedia.org app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline'; frame-ancestors 'self'

Event Timeline

bearND created this task.Thu, Jul 25, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Jul 25, 4:07 PM

I don't think storing CSP headers is a correct way forward here. If we store the headers and then need to change them, we'd need to truncate all the stored content, which we cannot really do, because it will drastically increase the load on PCS.

In the beautiful future when PCS manages it's own storage, this will be no problem, since RESTbase would just blindly proxy things to the backend service and trust it in setting whatever CSP header the service wants. Currently, I see no way forward except copying the CSP header generation code from PCS into RESTBase.

Ok, that would work for me.

Change 525610 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/services/restbase@master] Set proper CSP headers for mobile-html.

https://gerrit.wikimedia.org/r/525610

Change 525610 abandoned by Ppchelko:
Set proper CSP headers for mobile-html.

Reason:
Accidentally submitted to gerrit.

https://gerrit.wikimedia.org/r/525610

Change 525610 merged by Ppchelko:
[mediawiki/services/restbase@master] Set proper CSP headers for mobile-html.

https://gerrit.wikimedia.org/r/525610

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:29:00Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:42:42Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016 (duration: 13m 42s)

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:42:53Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 2

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:49:26Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 2 (duration: 06m 33s)

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:49:37Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 3

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:52:50Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 3 (duration: 03m 14s)

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:53:53Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, feeds timing out.

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:59:27Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, feeds timing out. (duration: 05m 34s)

Pchelolo closed this task as Resolved.Thu, Jul 25, 8:50 PM

This has been deployed. resolving.