Page MenuHomePhabricator
Create Task
Maniphest T248278

Wikibase doesn't respect Kartographer's addExtraCSPSrc
Closed, ResolvedPublic
Actions

Description

In 889716e13798 Kartographer was changed to automatically add the map server to the CSP source list for pages that include a map on them. However this doesn't seem to work for Wikidata, due to Wikibase\Repo\ParserOutput\GlobeCoordinateKartographerDataUpdater::updateParserOutput not copying that data over.

This wouldn't affect anything in production (Because CSP is not in use yet, but also the plan is to whitelist all of *.wikimedia.org just generally). However, this is breaking things on beta wiki.

My suggested fix would be:

diff --git a/repo/includes/ParserOutput/GlobeCoordinateKartographerDataUpdater.php b/repo/includes/ParserOutput/GlobeCoordinateKartographerDataUpdater.php
index a6963cc409..6a79c92ba5 100644
--- a/repo/includes/ParserOutput/GlobeCoordinateKartographerDataUpdater.php
+++ b/repo/includes/ParserOutput/GlobeCoordinateKartographerDataUpdater.php
@@ -81,6 +81,11 @@ class GlobeCoordinateKartographerDataUpdater implements StatementDataUpdater {
                $parserOutput->addModules( $kartographerParserOutput->getModules() );
                $parserOutput->addModuleStyles( $kartographerParserOutput->getModuleStyles() );
 
+               $srcs = $kartographerParserOutput->getExtraCSPDefaultSrcs();
+               foreach( $srcs as $src ) {
+                       $parserOutput->addExtraCSPDefaultSrc( $src );
+               }
+
                $parserOutput->setExtensionData(
                        'kartographer',
                        $kartographerParserOutput->getExtensionData( 'kartographer' )

However, I'm not sure if that would work during preview. I also haven't tested this as of yet.

Alternatively, it may make sense to use ParserOutput::mergeInternalMetaDataFrom, so that this is less coupled to internal implementation details.

Acceptance Criteria: 🏕️🌟(October 2021):

  • all Wikibase pages that may contain a map add the map server to the CSP source list
    • this includes entity pages that don’t contain a map yet, but where users may add a coordinate statement – the editing UI shows a map preview

Related Objects

Event Timeline

Bawolff created this task.Mar 22 2020, 11:46 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptMar 22 2020, 11:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Bawolff mentioned this in T244124: Make CSP enforce on beta cluster.Mar 22 2020, 11:47 PM
Reedy added a project: Wikidata-Campsite.Mar 23 2020, 1:17 AM
Addshore added a project: [DEPRECATED] wdwb-tech.Jul 16 2021, 8:08 AM
Addshore moved this task from Inbox to To Prioritize on the [DEPRECATED] wdwb-tech board.Jul 19 2021, 2:08 PM
Addshore moved this task from To Prioritize to Triaged Medium (50+) on the [DEPRECATED] wdwb-tech board.Aug 31 2021, 11:22 AM
Lucas_Werkmeister_WMDE moved this task from Incoming to Prioritized Wikidata Tech Backlog (prioritised from top to bottom) on the Wikidata-Campsite board.Sep 28 2021, 10:22 AM
Lucas_Werkmeister_WMDE added a project: MediaWiki-extensions-Wikibase-Client.Oct 6 2021, 8:41 AM
Lucas_Werkmeister_WMDE updated the task description. (Show Details)
Lucas_Werkmeister_WMDE subscribed.Oct 6 2021, 8:44 AM

@Bawolff can you elaborate a bit on the issues on the Beta cluster? As far as I can tell, everything is working both on entity pages (WikibaseRepo, Q15905) and Wikitext pages that use coordinates from entities (WikibaseClient, Talk:Q15905).

Maybe this already got resolved in the meantime?

Addshore moved this task from Prioritized Wikidata Tech Backlog (prioritised from top to bottom) to Incoming on the Wikidata-Campsite board.Nov 4 2021, 10:25 AM
Manuel moved this task from Incoming to Miscellaneous on the Wikidata-Campsite board.Jul 12 2022, 12:06 PM
Manuel moved this task from Miscellaneous to Tech realm on the Wikidata-Campsite board.Aug 2 2022, 12:11 PM
Manuel removed a project: Wikidata-Campsite.Nov 8 2022, 10:58 AM
Michael moved this task from Backlog to Geo&Maps on the MediaWiki-extensions-Wikibase-Client board.Mar 6 2024, 5:31 PM
sbassett subscribed.May 6 2026, 3:29 PM

This is currently allowed under the enforcing CSP within both Wikimedia production and the beta cluster. So @Bawolff's code suggestion isn't really relevant at this time as:

(Because CSP is not in use yet, but also the plan is to whitelist all of *.wikimedia.org just generally)

is no longer accurate, as we are setting an enforcing CSP in Wikimedia production and the beta cluster, and we are allowing *.wikimedia.org, likely indefinitely. And while rolled out in haste due to 2026-user-javascript-incident, an enforcing CSP was always a desired goal of Product Safety and Integrity and not something that we envision as a temporary solution at this time.

sbassett closed this task as Declined.May 6 2026, 3:30 PM
sbassett moved this task from Backlog to Done on the ContentSecurityPolicy board.
sbassett edited projects, added: SecTeam-Processed; removed: [DEPRECATED] wdwb-tech.
sbassett added a comment.May 6 2026, 3:33 PM
In T248278#7404794, @Lucas_Werkmeister_WMDE wrote:

Maybe this already got resolved in the meantime?

Whoops, it seems like this was at least partially addressed in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Kartographer/+/569526? If I'm understanding that change set correctly? Regardless, this should not longer be an issue with the current enforcing CSPs in Wikimedia production and on the beta cluster and their likely future configurations.

sbassett changed the task status from Declined to Resolved.May 6 2026, 3:34 PM
sbassett assigned this task to Bawolff.
sbassett triaged this task as Low priority.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits