Page MenuHomePhabricator
Create Task
Maniphest T245981

NavigationTiming extension causes CSP report from using a blob url via webworker
Closed, ResolvedPublic
Actions

Description

For context: CSP policies often block blob: as its a way of doing eval(). eval() and friends are high risk for injection attacks, as often they involve executing the result of string manipulations. Of course, in our context this is kind of a moot point since we currently allow 'unsafe-eval'.

Anyways, not sure if we should allow blob: generally, or if NavigationTiming should enable it in a hook. Leaning towards the latter.

Details

SubjectRepoBranchLines +/-
include blob: as a default script-srcmediawiki/coremaster+45 -45
Customize query in gerrit

Related Objects

Event Timeline

Bawolff created this task.Feb 24 2020, 9:39 AM
Restricted Application added a project: Performance-Team. · View Herald TranscriptFeb 24 2020, 9:39 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Feb 24 2020, 10:12 AM

Change 574401 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] include blob: as a default script-src

https://gerrit.wikimedia.org/r/574401

gerritbot added a project: Patch-For-Review.Feb 24 2020, 10:12 AM
Gilles assigned this task to Krinkle.Feb 25 2020, 5:25 PM
Krinkle moved this task from Inbox, needs triage to Doing (old) on the Performance-Team board.Feb 25 2020, 5:25 PM

I'll review.

Krinkle renamed this task from NavigationTiming extension causes CSP report from using a blob url via webworker. to NavigationTiming extension causes CSP report from using a blob url via webworker.Feb 27 2020, 4:49 PM
Krinkle triaged this task as Medium priority.
Krinkle moved this task from Doing (old) to Blocked (old) on the Performance-Team board.Feb 27 2020, 7:04 PM
Krinkle closed this task as Resolved.Feb 29 2020, 8:03 PM
Krinkle reassigned this task from Krinkle to Bawolff.
Krinkle subscribed.
gerritbot added a comment.Feb 29 2020, 8:17 PM

Change 574401 merged by jenkins-bot:
[mediawiki/core@master] include blob: as a default script-src

https://gerrit.wikimedia.org/r/574401

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.22; 2020-03-03).Feb 29 2020, 9:00 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 29 2020, 9:10 PM
Bawolff mentioned this in T244124: Make CSP enforce on beta cluster.Mar 2 2020, 1:54 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits