Page MenuHomePhabricator

WikiContrib violates user privacy by loading third party content from Google
Closed, ResolvedPublic

Description

It tries to load something from fonts.googleapis.com

Event Timeline

Quiddity removed the point value for this task.
Quiddity added a subscriber: Quiddity.

@Rammanojpotla too! (Sorry I missed you initially)

@Quiddity @Aklapper Thanks for pointing this out. I will fix this ASAP and ask @Rammanojpotla to update the tool on Toolforge.

bd808 added a subscriber: bd808.Thu, Sep 5, 3:49 PM

@Tuxology It would be excellent if the deployed tool could be updated soon. The nice announcement at https://lists.wikimedia.org/pipermail/wikitech-l/2019-September/092493.html is driving a bit more traffic to the tool now which is driving up the Content-Security-Policy violations reports: https://tools.wmflabs.org/csp-report/search?ft=wikicontrib.

@bd808 We updated the deployed tool, but realized that Semantic UI we are using as a dependency is still fetching in some fonts from Google. @Rammanojpotla is on it to fix and re-deploy. Sorry for the delay

Sorry @bd808 and @Tuxology for the delay. I guess the issue is fixed!

This is the screen shot of the requests made, when I tried it out!

It is also not adding any entities at https://tools.wmflabs.org/csp-report/search?ft=wikicontrib. @bd808 can you please let me know if it is originally fixed?

@Rammanojpotla: Please check the source code of https://tools.wmflabs.org/contrabandapp/ . It includes these lines:

<link href="/contrabandapp/static/css/2.c149526b.chunk.css" rel="stylesheet">
<link href="/contrabandapp/static/css/main.064b115b.chunk.css" rel="stylesheet">

Both https://tools.wmflabs.org/contrabandapp/static/css/2.c149526b.chunk.css and https://tools.wmflabs.org/contrabandapp/static/css/main.064b115b.chunk.css load content from https://fonts.googleapis.com

bd808 added a comment.Sun, Sep 8, 3:24 PM

It is also not adding any entities at https://tools.wmflabs.org/csp-report/search?ft=wikicontrib. @bd808 can you please let me know if it is originally fixed?

I did a 'hard' reload of the page to make sure that I was not just seeing stale css from prior testing. I am still seeing https://fonts.googleapis.com/css?family=Lato&display=swap and https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic&subset=latin load from Google's FontCDN.

@Rammanojpotla: Please check the source code of https://tools.wmflabs.org/contrabandapp/ . It includes these lines:

<link href="/contrabandapp/static/css/2.c149526b.chunk.css" rel="stylesheet">
<link href="/contrabandapp/static/css/main.064b115b.chunk.css" rel="stylesheet">

Both https://tools.wmflabs.org/contrabandapp/static/css/2.c149526b.chunk.css and https://tools.wmflabs.org/contrabandapp/static/css/main.064b115b.chunk.css load content from https://fonts.googleapis.com

Specifically, the semantic-ui-css package that is being imported in frontend/WikiContrib-Frontend/package.json @imports fonts.googleapis.com/css?family=Lato. The easiest way to fix this is probably adding some post-processing step after you run npm build that will rewrite https://fonts.googleapis.com/ to https://tools-static.wmflabs.org/fontcdn/ in your generated CSS file(s).

@Aklapper @bd808 I guess there is some confusion regarding the official tool. The version @Rammanojpotla and I are referring to is this: https://tools.wmflabs.org/wikicontrib and is based on the code at https://github.com/wikimedia/WikiContrib The contrabadapp one which you refer is not maintained anymore and should be removed from toolforge. I guess @Rammanojpotla is going to do it and then we are all golden!

@Aklapper and @bd808 sorry for the confusion. As specified at https://wikitech.wikimedia.org/wiki/Help:Toolforge/FAQ#Can_I_delete_a_Tool? . I can not delete a tool on toolforge. So, presently, I stopped the service of the tool hosted at https://tools.wmflabs.org/contrabandapp/. As @Tuxology specified, the official version of tool is hosted at https://tools.wmflabs.org/wikicontrib/. Let me know if there are any fonts imported from wikicontrib ??

bd808 closed this task as Resolved.Mon, Sep 9, 4:06 PM
bd808 assigned this task to Rammanojpotla.

https://tools.wmflabs.org/wikicontrib/ is not loading any external assets and https://tools.wmflabs.org/contrabandapp/ has its webservice shutdown. Thanks for the attention @Rammanojpotla and sorry for the various confusions that we had here.