Page MenuHomePhabricator
Create Task
Maniphest T249486

Change Content Security Policy on betacommons to allow api.flickr.com
Open, MediumPublic
Actions

Description

Required to test Flickr import features of UploadWizard on beta.

Related Objects
Search...

Event Timeline

AlexisJazz created this task.Apr 6 2020, 9:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 6 2020, 9:22 AM
RhinosF1 subscribed.Apr 6 2020, 11:24 AM
Urbanecm added a project: Security-Team.Apr 6 2020, 3:14 PM
Urbanecm subscribed.

IIRC, neither beta nor production allow external non-WM-hosted service in their CSPs. This should not be done without SecTeam's affirmative comment.

sbassett triaged this task as Medium priority.Apr 6 2020, 3:47 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.
sbassett added a comment.Apr 6 2020, 3:57 PM

Ideally, the Security-Team would prefer to wait for c557581 to get merged, so this sort of thing can fall to user-land, as I'm not sure everyone wants to or should allow something like api.flickr.com on beta or regular commons. Unfortunately, that patch is still hung up on RFC finalization (T208188#6030030). If this is more pressing, we could perhaps explore something like changing a CSP directive for a given time period (i.e. a day or two) to facilitate testing.

Bawolff subscribed.EditedApr 6 2020, 4:00 PM

Note, the flickr thing is part of the uploadwizard extension, not a gadget or anything like that. Most of the other things like that had builtin exceptions, at least in the short term (in the spirit of stabilizing the status quo before changing things)

AlexisJazz added a comment.Apr 6 2020, 11:16 PM
In T249486#6032516, @Urbanecm wrote:

IIRC, neither beta nor production allow external non-WM-hosted service in their CSPs. This should not be done without SecTeam's affirmative comment.

So how come that Flickr import works on production but doesn't work on beta? (note: it works on beta when you disable CSP locally.. which is a very bad idea)

Bawolff added a comment.Apr 7 2020, 12:07 AM

CSP is still being tested. Its enforced on beta for testing purposes, in prod it only gives warning on browser developer console

AlexisJazz added a comment.Apr 7 2020, 7:46 AM
In T249486#6034777, @Bawolff wrote:

CSP is still being tested. Its enforced on beta for testing purposes, in prod it only gives warning on browser developer console

I believe VisualFileChange loads a resource from dewiki so that may cause problems too?

sbassett added a comment.Apr 8 2020, 2:44 AM
In T249486#6032726, @Bawolff wrote:

Note, the flickr thing is part of the uploadwizard extension, not a gadget or anything like that. Most of the other things like that had builtin exceptions, at least in the short term (in the spirit of stabilizing the status quo before changing things)

I'm not seeing anything in the labs CS.php/IS.php for anything outside of the standard Wikimedia domains, nor in the headers when I load any beta pages.

In T249486#6035303, @AlexisJazz wrote:

I believe VisualFileChange loads a resource from dewiki so that may cause problems too?

This should be fine as Wikimedia domains are already supported.

Aklapper added a subtask: T208188: RFC: Partial opt-out method for Content security policy.May 20 2020, 10:49 AM
TheDJ mentioned this in T208188: RFC: Partial opt-out method for Content security policy.May 28 2020, 3:12 PM
TheDJ subscribed.May 28 2020, 3:20 PM
In T249486#6038532, @sbassett wrote:
In T249486#6032726, @Bawolff wrote:

Note, the flickr thing is part of the uploadwizard extension, not a gadget or anything like that. Most of the other things like that had builtin exceptions, at least in the short term (in the spirit of stabilizing the status quo before changing things)

I'm not seeing anything in the labs CS.php/IS.php for anything outside of the standard Wikimedia domains, nor in the headers when I load any beta pages.

3rd party Maps on wiki en.wikivoyage would be one of such exceptions.

alistair3149 added a subtask: T278472: UploadWizard should add Flickr API to Content Security Policy when required.May 19 2021, 2:10 PM
alistair3149 added a project: UploadWizard.Mar 2 2024, 7:43 PM
matthiasmullie mentioned this in T355715: [L] Reconfigure the placement of release rights info for flickr uploads in upload wizard.Mar 27 2024, 7:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL