Page MenuHomePhabricator
Create Task
Maniphest T232697

Wikimedia documentation unavailable: js blocked due to CSP
Closed, ResolvedPublic
Actions

Description

Some JSduck pages are stopping around at loading status.

I guess this caused by T213223#5485220 ( gerrit:535895 67a56304bf643d22e4bf17fb9c8556817cd7fb41 ) patch.

ext-all.js:38 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline' 'self'".

    at ext-all.js:38
    at ext-all.js:38
app-0c945a27f43452df695771ddb60b3d14.js:1 Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': The document is sandboxed and lacks the 'allow-same-origin' flag.
    at https://doc.wikimedia.org/mediawiki-core/master/js/app-0c945a27f43452df695771ddb60b3d14.js:1:87555
/mediawiki-core/master/js/#!/api/mw.log:29 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

/mediawiki-core/master/js/#!/api/mw.log:202 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

/mediawiki-core/master/js/#!/api/mw.log:228 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

/mediawiki-core/master/js/#!/api/mw.log:382 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-YFOIjkCvZnAH6R5z1ZjUI/Zgf7uslK5vN80+lsdvYss='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

/mediawiki-core/master/js/#!/api/mw.log:388 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

(index):395 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Exo' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

(anonymous) @ (index):395
ext-all.js:38 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-NA53hEXOaRihI3snNzt5Py1z3tG03mlAJTnJb5dEfKI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ ext-all.js:38
ext-all.js:38 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-h6i66sWae7FQraJgPKZtike2U9kbdj6H4ef+hLRvI4A='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ ext-all.js:38
ext-all.js:38 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-isBg57oda5bvrrCI5oPumlJGNwD3CMfczbHEtuIAmiw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ ext-all.js:38
ext-all.js:38 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-cUtUA2GBdi4dtncTW7Pr5W2p1T9OmZosgcgFNgCzPx0='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ ext-all.js:38
ext-all.js:38 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-fFRHI5PNmrz9bPtAXUqdfDkfYAkipB2P2SyE1YJJrZc='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ ext-all.js:38
ext-all.js:38 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-S7ZenpTBT8dynfQlRZPwQtcqoidonYHPhVhFGs8telY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

init @ ext-all.js:38
ext-all.js:38 Uncaught TypeError: Cannot read property 'get' of undefined
    at Object.Ext.get (ext-all.js:38)
    at Object.Ext.apply.getBody (ext-all.js:38)
    at b (ext-all.js:38)
    at ext-all.js:38
    at h.fire (ext-all.js:38)
    at h.Ext.apply.readyEvent.e.fire (ext-all.js:38)
    at fireReadyEvent (ext-all.js:38)
    at ext-all.js:38
/mediawiki-core/master/js/extjs/src/Ajax.js?_dc=1568257411834:1 Failed to load resource: the server responded with a status of 404 ()
/mediawiki-core/master/js/extjs/src/util/Cookies.js?_dc=1568257411835:1 Failed to load resource: the server responded with a status of 404 ()
/mediawiki-core/master/js/extjs/src/app/Controller.js?_dc=1568257411839:1 Failed to load resource: the server responded with a status of 404 ()
/mediawiki-core/master/js/extjs/src/data/Store.js?_dc=1568257411840:1 Failed to load resource: the server responded with a status of 404 ()
/mediawiki-core/master/js/extjs/src/container/Container.js?_dc=1568257411837:1 Failed to load resource: the server responded with a status of 404 ()
/mediawiki-core/master/js/extjs/src/panel/Panel.js?_dc=1568257411837:1 Failed to load resource: the server responded with a status of 404 ()
/mediawiki-core/master/js/#!/api/mw.log:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Exo' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Details

SubjectRepoBranchLines +/-
Change doc.wikimedia CSP header to report onlyoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Rxy created this task.Sep 12 2019, 3:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 12 2019, 3:17 AM
Rxy triaged this task as High priority.Sep 12 2019, 3:17 AM
Rxy added a project: Documentation.
Rxy added a project: Patch-For-Review.Sep 12 2019, 3:24 AM

https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/535987/

Rxy unsubscribed.Sep 12 2019, 4:27 AM
jcrespo renamed this task from JSDuck is now unavailable due to loading external resources failed to Wikimedia documentation unavailable: js blocked due to CSP.Sep 12 2019, 8:51 AM
jcrespo merged a task: T232704: Wikimedia Documentation Broken.
jcrespo added subscribers: Jdoggs91, Rxy, Dzahn and 3 others.
hashar added a comment.Sep 12 2019, 9:16 AM

I have repurposed @Rxy patch to use Content-Security-Policy-Report-Only instead of reverting. This way we at least get the logs and can finely tweak the rules.

https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/535987
Change doc.wikimedia CSP header to report only

hashar closed this task as Resolved.Sep 12 2019, 9:28 AM
hashar assigned this task to Rxy.

The header has been turned to Content-Policy-Security-Report-Only. https://doc.wikimedia.org/oojs-ui/master/js/ works again, sorry :-\

Restricted Application added a project: User-Rxy. · View Herald TranscriptSep 12 2019, 9:28 AM
Aklapper added a comment.EditedSep 12 2019, 9:42 AM

Is there a reason that this task should remain non-public? Duplicate https://phabricator.wikimedia.org/T232704 is also public.

sbassett subscribed.EditedSep 12 2019, 3:21 PM
In T232697#5487002, @Aklapper wrote:

Is there a reason that this task should remain non-public? Duplicate https://phabricator.wikimedia.org/T232704 is also public.

@Aklapper - no, everything on the task is public and/or not sensitive.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 12 2019, 3:22 PM
DannyS712 removed a project: Patch-For-Review.Nov 18 2019, 11:36 AM
DannyS712 subscribed.

[batch] remove patch for review tag from resolved tasks

chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits