Page MenuHomePhabricator

CSP error when loading scripts from tools.wmflabs.org on Wikidata
Closed, InvalidPublic

Description

I am loading several user scripts from tools.wmflabs.org for use on Wikidata, however this doesn't work anymore due to a CSP error.
Example of script that fails and the error:
load.php?lang=nl&modules=startup&only=scripts&raw=1&skin=vector:11 [Report Only] Refused to load the script 'https://tools.wmflabs.org/wikidata-todo/flagged.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback..

Issue occurs in FireFox and Chrome

Event Timeline

Mbch331 created this task.Sun, Jan 19, 9:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSun, Jan 19, 9:29 AM
Mbch331 updated the task description. (Show Details)Sun, Jan 19, 9:30 AM
Mbch331 closed this task as Invalid.Sun, Jan 19, 9:33 AM

Something else was wrong, scripts now work again while the CSP message still shows in the browser console.

JJMC89 added a subscriber: JJMC89.

This isn't related to the Toolforge infrastructure, and it is working as intended (report only, not blocking).