It also depends on the location the request is made from. I don't even get app://*.wikimedia.org in connect-src for the first page in @Mholloway's user talk space: connect-src https://*.wikipedia.org;

@JoeWalsh how urgent?

@dr0ptp4kt borderline UBN. Blocking apps release but there's still more beta testing we can do.

Thanks @JoeWalsh . @Pchelolo how should we route this? We believe this probably requires CPT treatment, although I wasn't sure there was a particular workflow we should follow - I didn't think it was necessarily appropriate for me to just assign it to you, although of course your name came to mind!

The problem is here: https://github.com/wikimedia/restbase/blob/master/lib/security_response_header_filter.js#L6

As a workaround we're indeed not storing the CSP for mobile stuff, thus for the responses obtained from the storage we copy-paste the headers. Before I said that storing the headers is not a correct way of doing things since updating the headers will require purging all the PCS content.. I still think that's the case.

This is another example why we need to make PCS manage it's own storage..

Here's a PR for the current problem: https://github.com/wikimedia/restbase/pull/1251

Thanks @Pchelolo. That's good to know. I agree it's best to avoid storing the CSP headers with each page and so we don't need to purge content when it needs to be updated. It's better to always send the latest and greatest for all pages.

So, basically we currently have 3 different places where one could think the production CSP headers for mobile-html are defined, but only the one in RB is the one used. These 3 places are:

• mobileapps: /config.prod.yaml
• mobileapps-deploy: /scap/templates/config.yaml
• RESTBase: /lib/security_response_header_filter.js

Should we just get rid of the ones in mobileapps altogether as to avoid any confusion? Should we remove sending of any CSP?

It's somewhat of a broader issue, but IMO the presence of config.prod.yaml is confusing almost to the point of being misleading, since it's never actually used in production. I wouldn't be opposed to removing it.

Mentioned in SAL (#wikimedia-operations) [2020-04-02T19:23:44Z] <ppchelko@deploy1001> Started deploy [restbase/deploy@7923c1f]: Update CSP headers for mobileapps T248431

Mentioned in SAL (#wikimedia-operations) [2020-04-02T19:38:57Z] <ppchelko@deploy1001> Finished deploy [restbase/deploy@7923c1f]: Update CSP headers for mobileapps T248431 (duration: 15m 13s)

I'm still seeing the old headers on some pages after the deploy. Is this expected?

In T248431#6027491, @JoeWalsh wrote:

I'm still seeing the old headers on some pages after the deploy. Is this expected?

It might still be service some stale data from Varnish, it's totally possible. You can check by verifying the 'age' header.

Thanks, it looks like that's it: Age: 268489

What remains to be done here? Where should the be on the board?