Page MenuHomePhabricator

Content Security Policy JS error
Closed, InvalidPublic

Description

Recently the maps shown through this template: https://it.wikivoyage.org/wiki/Template:MappaDinamica cause the following JS error:

[Report Only] Refused to frame 'https://tools.wmflabs.org/' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.

Event Timeline

Restricted Application added subscribers: Liuxinyu970226, Aklapper. · View Herald TranscriptOct 22 2019, 4:47 PM

Hi @Andyrom75, thanks for taking the time to report this!

This is probably due to T207900, does it create any problems? I don't think it is an "error", but a warning?

In Firefox 69 when going to the Developer Tools there is no such output on https://it.wikivoyage.org/wiki/Template:MappaDinamica?debug=true ? Which web browser is used, what are steps to reproduce to see this? :)

Is this related to T211971?

This is probably due to T207900, does it create any problems? I don't think it is an "error", but a warning?

That should be correct. If a resource is actually being blocked right now, it's probably related to something else like CORS. And certainly various Cloud VPS/tools resources would be permitted in various contexts once CSP user allow-listing is formalized and Wikimedia CSPs are set to enforce.

Bawolff added a subscriber: Bawolff.

Yep its just a warning so far, and things will change before the warning becomes more serious. However, it should be noted, that MediaWiki:Gadget-MapFrame.js might borderline be in violation of the privacy policy since its loading resources from toolforge without opt-in from the user (Not really clear though, as it is loading in an iframe. Rules around usage of labs in production are very ambiguous in practice).

Aklapper changed the task status from Open to Stalled.Oct 25 2019, 6:54 AM

Setting status to stalled as we're waiting for Andyrom75 to answer T236188#5603324

Andyrom75 added a comment.EditedOct 27 2019, 5:48 PM

@Aklapper sorry for late answer.
I've used Chrome Version 77.0.3865.90 (Build) (64 bit).
I get the same result with Firefox Quantum 69.0.2 (64 bit)

The FF message is in Italian but numbers and URL is still understandable:
Content Security Policy: Le impostazioni della pagina hanno rilevato il caricamento di una risorsa su https://tools.wmflabs.org/wikivoyage/w/poimap2.php?lat=43.77…1.255229&zoom=15&layer=W&lang=it&name=Template:MappaDinamica (“default-src”). È stata inviata una segnalazione CSP.

To replicate it is quite simple: open the page and look into the browser console.

Please let me know if you need more information by my side.

Aklapper changed the task status from Stalled to Open.Oct 27 2019, 8:00 PM

@Andyrom75: It is still unclear to me how to reproduce a problem, and what the exact problem is here. I go to https://it.wikivoyage.org/wiki/Template:MappaDinamica and I don't see such output in the Developer Tools in Firefox. What are exact steps to reproduce, the expected outcome, and the actual outcome? Thanks.

@Andyrom75: It is still unclear to me how to reproduce a problem, and what the exact problem is here. I go to https://it.wikivoyage.org/wiki/Template:MappaDinamica and I don't see such output in the Developer Tools in Firefox. What are exact steps to reproduce, the expected outcome, and the actual outcome? Thanks.

FWIW, The CSP warning does show up in the developer console for me.

I'm not sure there is anything to be done about it at this time.

@Andyrom75: It is still unclear to me how to reproduce a problem, and what the exact problem is here. I go to https://it.wikivoyage.org/wiki/Template:MappaDinamica and I don't see such output in the Developer Tools in Firefox. What are exact steps to reproduce, the expected outcome, and the actual outcome? Thanks.

As said by Bawolff, in both cases I see the alert in the developer console (that one that is opened after pressing F12).

sbassett closed this task as Resolved.Oct 28 2019, 2:38 PM
sbassett claimed this task.
sbassett triaged this task as Low priority.

As said by Bawolff, in both cases I see the alert in the developer console (that one that is opened after pressing F12).

Seeing the alert within a developer console is normal, expected behavior for the time being. Again, it should just be a notice-level warning, not an error which blocks a resource from loading. I'm going to resolve this for now unless it can be demonstrated that the CSP in question is actually blocking a resource from being loaded.

sbassett changed the task status from Resolved to Invalid.Oct 28 2019, 2:38 PM
Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptOct 28 2019, 2:38 PM

! In T236188#5611628, @sbassett wrote:
Seeing the alert within a developer console is normal, expected behavior for the time being. Again, it should just be a notice-level warning, not an error which blocks a resource from loading. I'm going to resolve this for now unless it can be demonstrated that the CSP in question is actually blocking a resource from being loaded.

Ok but since it says "Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback." What is your suggestion? Consider that I have set the attribute src of iframe html tag.

"Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback."

So this is just CSP letting you know how its policies are degrading in this particular case. The current CSP in effect for it.wikivoyage does not have a frame-src directive explicitly set within its policy. So the browser is using the default-src policy (falling back) instead, which in this case is:

default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org;

which your iframe src (https://tools.wmflabs.org/*) is currently violating. Again, this is just a report/warning and should not currently be blocking the load of any resources from https://tools.wmflabs.org/.