It tries to load something from fonts.googleapis.com
|Open||None||T133919 [EPIC] Protect end-user privacy by restricting non-consensual third-party browser interactions|
|Open||None||T130748 Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses|
|Open||None||T172065 Hunt for Toolforge tools that load resources from third party sites|
|Resolved||Rammanojpotla||T231312 WikiContrib violates user privacy by loading third party content from Google|
@Quiddity @Aklapper Fixed via https://github.com/wikimedia/WikiContrib/commit/9c7cee85c37138dd757d3bc53009784647a066d7#diff-4116fc200141126c18042468e63e9de9 I'll update this issue when the tool is updated on toolforge
@Tuxology It would be excellent if the deployed tool could be updated soon. The nice announcement at https://lists.wikimedia.org/pipermail/wikitech-l/2019-September/092493.html is driving a bit more traffic to the tool now which is driving up the Content-Security-Policy violations reports: https://tools.wmflabs.org/csp-report/search?ft=wikicontrib.
This is the screen shot of the requests made, when I tried it out!
It is also not adding any entities at https://tools.wmflabs.org/csp-report/search?ft=wikicontrib. @bd808 can you please let me know if it is originally fixed?
<link href="/contrabandapp/static/css/2.c149526b.chunk.css" rel="stylesheet"> <link href="/contrabandapp/static/css/main.064b115b.chunk.css" rel="stylesheet">
Both https://tools.wmflabs.org/contrabandapp/static/css/2.c149526b.chunk.css and https://tools.wmflabs.org/contrabandapp/static/css/main.064b115b.chunk.css load content from https://fonts.googleapis.com
I did a 'hard' reload of the page to make sure that I was not just seeing stale css from prior testing. I am still seeing https://fonts.googleapis.com/css?family=Lato&display=swap and https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic&subset=latin load from Google's FontCDN.
Specifically, the semantic-ui-css package that is being imported in frontend/WikiContrib-Frontend/package.json @imports fonts.googleapis.com/css?family=Lato. The easiest way to fix this is probably adding some post-processing step after you run npm build that will rewrite https://fonts.googleapis.com/ to https://tools-static.wmflabs.org/fontcdn/ in your generated CSS file(s).
@Aklapper @bd808 I guess there is some confusion regarding the official tool. The version @Rammanojpotla and I are referring to is this: https://tools.wmflabs.org/wikicontrib and is based on the code at https://github.com/wikimedia/WikiContrib The contrabadapp one which you refer is not maintained anymore and should be removed from toolforge. I guess @Rammanojpotla is going to do it and then we are all golden!
@Aklapper and @bd808 sorry for the confusion. As specified at https://wikitech.wikimedia.org/wiki/Help:Toolforge/FAQ#Can_I_delete_a_Tool? . I can not delete a tool on toolforge. So, presently, I stopped the service of the tool hosted at https://tools.wmflabs.org/contrabandapp/. As @Tuxology specified, the official version of tool is hosted at https://tools.wmflabs.org/wikicontrib/. Let me know if there are any fonts imported from wikicontrib ??