Page MenuHomePhabricator
Create Task
Maniphest T229016

Use CSP headers from backend even when stored payload is served
Closed, ResolvedPublic
Actions

Description

mobile-html uses a special CSP header but RB seems to fall back to a default header for all when using stored responses.
RB should store and use those CSP headers.

Example: https://en.wikipedia.org/api/rest_v1/page/mobile-html/Cat
I'm getting now:

default-src 'none'; media-src *; img-src *; style-src http://*.wikipedia.org https://*.wikipedia.org;frame-ancestors 'self'

PCS sends a different CSP header:

default-src 'none'; connect-src https://*.wikipedia.org; media-src *; img-src * data:; script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; style-src app://meta.wikimedia.org https://meta.wikimedia.org app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline'; frame-ancestors 'self'

Details

ProjectBranchLines +/-Subject
mediawiki/services/restbasemaster+17 -0Set proper CSP headers for mobile-html.
Customize query in gerrit

Event Timeline

bearND created this task.Jul 25 2019, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 25 2019, 4:07 PM
WDoranWMF edited projects, added Platform Team Workboards (Clinic Duty Team); removed Services.Jul 25 2019, 4:08 PM
Pchelolo moved this task from Inbox to Doing(WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.Jul 25 2019, 4:10 PM
bearND moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.Jul 25 2019, 4:19 PM
Pchelolo added a comment.Jul 25 2019, 4:43 PM

I don't think storing CSP headers is a correct way forward here. If we store the headers and then need to change them, we'd need to truncate all the stored content, which we cannot really do, because it will drastically increase the load on PCS.

In the beautiful future when PCS manages it's own storage, this will be no problem, since RESTbase would just blindly proxy things to the backend service and trust it in setting whatever CSP header the service wants. Currently, I see no way forward except copying the CSP header generation code from PCS into RESTBase.

bearND added a comment.Jul 25 2019, 4:52 PM

Ok, that would work for me.

gerritbot added a comment.Jul 25 2019, 5:59 PM

Change 525610 had a related patch set uploaded (by Ppchelko; owner: Ppchelko):
[mediawiki/services/restbase@master] Set proper CSP headers for mobile-html.

https://gerrit.wikimedia.org/r/525610

gerritbot added a project: Patch-For-Review.Jul 25 2019, 5:59 PM

Change 525610 abandoned by Ppchelko:
Set proper CSP headers for mobile-html.

Reason:
Accidentally submitted to gerrit.

https://gerrit.wikimedia.org/r/525610

Maintenance_bot removed a project: Patch-For-Review.Jul 25 2019, 6:10 PM
gerritbot added a comment.Jul 25 2019, 7:17 PM

Change 525610 merged by Ppchelko:
[mediawiki/services/restbase@master] Set proper CSP headers for mobile-html.

https://gerrit.wikimedia.org/r/525610

Stashbot added a comment.Jul 25 2019, 7:29 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:29:00Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016

Stashbot added a comment.Jul 25 2019, 7:42 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:42:42Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016 (duration: 13m 42s)

Stashbot added a comment.Jul 25 2019, 7:42 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:42:53Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 2

Stashbot added a comment.Jul 25 2019, 7:49 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:49:26Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 2 (duration: 06m 33s)

Stashbot added a comment.Jul 25 2019, 7:49 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:49:37Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 3

Stashbot added a comment.Jul 25 2019, 7:52 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:52:50Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, take 3 (duration: 03m 14s)

Stashbot added a comment.Jul 25 2019, 7:53 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:53:53Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, feeds timing out.

Stashbot added a comment.Jul 25 2019, 7:59 PM

Mentioned in SAL (#wikimedia-operations) [2019-07-25T19:59:27Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@279cf27]: Set proper CSP headers for mobile-html T229016, feeds timing out. (duration: 05m 34s)

Pchelolo closed this task as Resolved.Jul 25 2019, 8:50 PM

This has been deployed. resolving.

WDoranWMF moved this task from Doing(WIP:5) to Done on the Platform Team Workboards (Clinic Duty Team) board.Jul 30 2019, 2:23 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL