In T250758#6073918, @bd808 wrote:
- Two content-security-policy reports are generated by the tool for fetching resources that are outside of the Wikimedia hosting environment:
- https://cors-anywhere.herokuapp.com/https://tatsumo.pythonanywhere.com/api/album/2ABAeQdTwWlZZj4cW2zOWX
- This is a double remote request in reality. First to https://cors-anywhere.herokuapp.com/ which is a proxy for adding CORS headers to anything, and then to https://tatsumo.pythonanywhere.com/api/album/2ABAeQdTwWlZZj4cW2zOWX which seems to be the main external API that the tool is automating use of
- https://i.scdn.co/image/ab67616d0000b27373dc2eca0656689869d88ae9
- This is an image URL returned by the tatsumo API for the album cover art
Eventually T130748: Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses may be changed from report-only mode to enforcement mode and then these requests will break. As these interactions are core to the tool's functionality, adding a reverse proxy with a restrictive allow list for proxied URLs to the tool itself is probably the "best" way to present the desired content without exposing the user to direct interaction with 3rd party hosting and potential tracking. This could be done with a PHP script to do the proxying.
Recent CSP violation reports can be seen at https://csp-report.toolforge.org/search?ft=moedata