Page MenuHomePhabricator

WikiContrib violates user privacy by loading third party content from Google
Closed, ResolvedPublic

Description

It tries to load something from fonts.googleapis.com

Event Timeline

@Quiddity @Aklapper Thanks for pointing this out. I will fix this ASAP and ask @Rammanojpotla to update the tool on Toolforge.

@Tuxology It would be excellent if the deployed tool could be updated soon. The nice announcement at https://lists.wikimedia.org/pipermail/wikitech-l/2019-September/092493.html is driving a bit more traffic to the tool now which is driving up the Content-Security-Policy violations reports: https://tools.wmflabs.org/csp-report/search?ft=wikicontrib.

@bd808 We updated the deployed tool, but realized that Semantic UI we are using as a dependency is still fetching in some fonts from Google. @Rammanojpotla is on it to fix and re-deploy. Sorry for the delay

Sorry @bd808 and @Tuxology for the delay. I guess the issue is fixed!

This is the screen shot of the requests made, when I tried it out!

image.png (768×1 px, 151 KB)

It is also not adding any entities at https://tools.wmflabs.org/csp-report/search?ft=wikicontrib. @bd808 can you please let me know if it is originally fixed?

@Rammanojpotla: Please check the source code of https://tools.wmflabs.org/contrabandapp/ . It includes these lines:

<link href="/contrabandapp/static/css/2.c149526b.chunk.css" rel="stylesheet">
<link href="/contrabandapp/static/css/main.064b115b.chunk.css" rel="stylesheet">

Both https://tools.wmflabs.org/contrabandapp/static/css/2.c149526b.chunk.css and https://tools.wmflabs.org/contrabandapp/static/css/main.064b115b.chunk.css load content from https://fonts.googleapis.com

It is also not adding any entities at https://tools.wmflabs.org/csp-report/search?ft=wikicontrib. @bd808 can you please let me know if it is originally fixed?

I did a 'hard' reload of the page to make sure that I was not just seeing stale css from prior testing. I am still seeing https://fonts.googleapis.com/css?family=Lato&display=swap and https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic&subset=latin load from Google's FontCDN.

Screen Shot 2019-09-08 at 09.07.37.png (660×2 px, 286 KB)

@Rammanojpotla: Please check the source code of https://tools.wmflabs.org/contrabandapp/ . It includes these lines:

<link href="/contrabandapp/static/css/2.c149526b.chunk.css" rel="stylesheet">
<link href="/contrabandapp/static/css/main.064b115b.chunk.css" rel="stylesheet">

Both https://tools.wmflabs.org/contrabandapp/static/css/2.c149526b.chunk.css and https://tools.wmflabs.org/contrabandapp/static/css/main.064b115b.chunk.css load content from https://fonts.googleapis.com

Specifically, the semantic-ui-css package that is being imported in frontend/WikiContrib-Frontend/package.json @imports fonts.googleapis.com/css?family=Lato. The easiest way to fix this is probably adding some post-processing step after you run npm build that will rewrite https://fonts.googleapis.com/ to https://tools-static.wmflabs.org/fontcdn/ in your generated CSS file(s).

@Aklapper @bd808 I guess there is some confusion regarding the official tool. The version @Rammanojpotla and I are referring to is this: https://tools.wmflabs.org/wikicontrib and is based on the code at https://github.com/wikimedia/WikiContrib The contrabadapp one which you refer is not maintained anymore and should be removed from toolforge. I guess @Rammanojpotla is going to do it and then we are all golden!

@Aklapper and @bd808 sorry for the confusion. As specified at https://wikitech.wikimedia.org/wiki/Help:Toolforge/FAQ#Can_I_delete_a_Tool? . I can not delete a tool on toolforge. So, presently, I stopped the service of the tool hosted at https://tools.wmflabs.org/contrabandapp/. As @Tuxology specified, the official version of tool is hosted at https://tools.wmflabs.org/wikicontrib/. Let me know if there are any fonts imported from wikicontrib ??

bd808 assigned this task to Rammanojpotla.

https://tools.wmflabs.org/wikicontrib/ is not loading any external assets and https://tools.wmflabs.org/contrabandapp/ has its webservice shutdown. Thanks for the attention @Rammanojpotla and sorry for the various confusions that we had here.

sbassett triaged this task as Medium priority.Oct 16 2019, 4:36 PM
sbassett moved this task from Intake to Done on the Privacy board.

@Gopavasanth - it still seems to not be loading any external resources (the purpose of this task), so that should be fine.