Page MenuHomePhabricator

NavigationTiming extension causes CSP report from using a blob url via webworker
Closed, ResolvedPublic

Description

For context: CSP policies often block blob: as its a way of doing eval(). eval() and friends are high risk for injection attacks, as often they involve executing the result of string manipulations. Of course, in our context this is kind of a moot point since we currently allow 'unsafe-eval'.

Anyways, not sure if we should allow blob: generally, or if NavigationTiming should enable it in a hook. Leaning towards the latter.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 574401 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] include blob: as a default script-src

https://gerrit.wikimedia.org/r/574401

Krinkle renamed this task from NavigationTiming extension causes CSP report from using a blob url via webworker. to NavigationTiming extension causes CSP report from using a blob url via webworker.Feb 27 2020, 4:49 PM
Krinkle triaged this task as Medium priority.
Krinkle reassigned this task from Krinkle to Bawolff.
Krinkle added a subscriber: Krinkle.

Change 574401 merged by jenkins-bot:
[mediawiki/core@master] include blob: as a default script-src

https://gerrit.wikimedia.org/r/574401