Page MenuHomePhabricator
Create Task
Maniphest T252417

Allow MediaWiki client side JS to POST to EventGate webproxy in beta
Closed, ResolvedPublic
Actions

Description

I'm trying to test POSTing to EventGate with the EventLogging extension in beta. A CSP violation is preventing me from doing so:

Refused to connect to 'https://intake-analytics-beta.wmflabs.org/v1/events?hasty=true' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.beta.wmflabs.org *.wikipedia.beta.wmflabs.org *.wikinews.beta.wmflabs.org *.wiktionary.beta.wmflabs.org *.wikibooks.beta.wmflabs.org *.wikiversity.beta.wmflabs.org *.wikisource.beta.wmflabs.org *.wikiquote.beta.wmflabs.org wikidata.beta.wmflabs.org m.wikidata.beta.wmflabs.org *.wikivoyage.beta.wmflabs.org *.mediawiki.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org en.wikipedia.beta.wmflabs.org en.wikisource.beta.wmflabs.org en.wikibooks.beta.wmflabs.org en.wikiversity.beta.wmflabs.org en.wikiquote.beta.wmflabs.org en.wikinews.beta.wmflabs.org en.wikivoyage.beta.wmflabs.org en.wiktionary.beta.wmflabs.org deployment.wikimedia.beta.wmflabs.org test.wikimedia.beta.wmflabs.org commons.wikimedia.beta.wmflabs.org login.wikimedia.beta.wmflabs.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

I think, either I need the ability to create Horizon webproxies like 'intake-analytcs.wikimedia.beta.wmflabs.org', or 'intake-analytics-beta.wmflab.org' needs to be allowed in our CSP rules.

It seems like it would be useful to allow beta MediaWiki to connect to any webproxy in deployment-prep. Since horizon won't allow for the creation of sub domains (e.g. no intake-analytcs.wikimedia.beta.wmflabs.org), perhaps we should just make a convention that '*-beta.wmflabs.org' is allowed? I'll submit a patch for review to do this, but I'm not sure if it is the right thing to do.

Details

SubjectRepoBranchLines +/-
Set intake-logging,analytics beta URLs to use ATS defined endpointoperations/mediawiki-configmaster+2 -2
Add Horizon webproxies that end in -beta.wmflabs.org to CSPoperations/mediawiki-configmaster+5 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Ottomata created this task.May 11 2020, 2:46 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMay 11 2020, 2:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Ottomata added a project: Release-Engineering-Team.May 11 2020, 2:47 PM
gerritbot added a comment.May 11 2020, 2:52 PM

Change 595545 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/mediawiki-config@master] Add Horizon webproxies that end in -beta.wmflabs.org to CSP

https://gerrit.wikimedia.org/r/595545

gerritbot added a project: Patch-For-Review.May 11 2020, 2:52 PM
Ottomata moved this task from Incoming to Event Platform on the Analytics board.May 11 2020, 3:17 PM
gerritbot added a comment.May 11 2020, 6:08 PM

Change 595545 abandoned by Ottomata:
Add Horizon webproxies that end in -beta.wmflabs.org to CSP

https://gerrit.wikimedia.org/r/595545

Ottomata added a comment.May 11 2020, 6:08 PM

Timo suggested I just add routing to these backends in ATS via horizon hiera in deployment-prep. I will do that instead of modifying MW CSP rules.

gerritbot added a comment.May 11 2020, 7:22 PM

Change 595620 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/mediawiki-config@master] Set intake-logging,analytics beta URLs to use ATS defined endpoint

https://gerrit.wikimedia.org/r/595620

gerritbot added a comment.May 11 2020, 7:24 PM

Change 595620 merged by Ottomata:
[operations/mediawiki-config@master] Set intake-logging,analytics beta URLs to use ATS defined endpoint

https://gerrit.wikimedia.org/r/595620

Ottomata closed this task as Resolved.May 11 2020, 7:33 PM
Ottomata claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL