Page MenuHomePhabricator

Allow MediaWiki client side JS to POST to EventGate webproxy in beta
Closed, ResolvedPublic

Description

I'm trying to test POSTing to EventGate with the EventLogging extension in beta. A CSP violation is preventing me from doing so:

Refused to connect to 'https://intake-analytics-beta.wmflabs.org/v1/events?hasty=true' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: https://upload.beta.wmflabs.org upload.beta.wmflabs.org https://commons.wikimedia.beta.wmflabs.org https://upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.beta.wmflabs.org *.wikimedia.beta.wmflabs.org *.wikipedia.beta.wmflabs.org *.wikinews.beta.wmflabs.org *.wiktionary.beta.wmflabs.org *.wikibooks.beta.wmflabs.org *.wikiversity.beta.wmflabs.org *.wikisource.beta.wmflabs.org *.wikiquote.beta.wmflabs.org wikidata.beta.wmflabs.org m.wikidata.beta.wmflabs.org *.wikivoyage.beta.wmflabs.org *.mediawiki.beta.wmflabs.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org en.wikipedia.beta.wmflabs.org en.wikisource.beta.wmflabs.org en.wikibooks.beta.wmflabs.org en.wikiversity.beta.wmflabs.org en.wikiquote.beta.wmflabs.org en.wikinews.beta.wmflabs.org en.wikivoyage.beta.wmflabs.org en.wiktionary.beta.wmflabs.org deployment.wikimedia.beta.wmflabs.org test.wikimedia.beta.wmflabs.org commons.wikimedia.beta.wmflabs.org login.wikimedia.beta.wmflabs.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

I think, either I need the ability to create Horizon webproxies like 'intake-analytcs.wikimedia.beta.wmflabs.org', or 'intake-analytics-beta.wmflab.org' needs to be allowed in our CSP rules.

It seems like it would be useful to allow beta MediaWiki to connect to any webproxy in deployment-prep. Since horizon won't allow for the creation of sub domains (e.g. no intake-analytcs.wikimedia.beta.wmflabs.org), perhaps we should just make a convention that '*-beta.wmflabs.org' is allowed? I'll submit a patch for review to do this, but I'm not sure if it is the right thing to do.

Event Timeline

Ottomata created this task.May 11 2020, 2:46 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMay 11 2020, 2:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Change 595545 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/mediawiki-config@master] Add Horizon webproxies that end in -beta.wmflabs.org to CSP

https://gerrit.wikimedia.org/r/595545

Ottomata moved this task from Incoming to Event Platform on the Analytics board.May 11 2020, 3:17 PM

Change 595545 abandoned by Ottomata:
Add Horizon webproxies that end in -beta.wmflabs.org to CSP

https://gerrit.wikimedia.org/r/595545

Timo suggested I just add routing to these backends in ATS via horizon hiera in deployment-prep. I will do that instead of modifying MW CSP rules.

Change 595620 had a related patch set uploaded (by Ottomata; owner: Ottomata):
[operations/mediawiki-config@master] Set intake-logging,analytics beta URLs to use ATS defined endpoint

https://gerrit.wikimedia.org/r/595620

Change 595620 merged by Ottomata:
[operations/mediawiki-config@master] Set intake-logging,analytics beta URLs to use ATS defined endpoint

https://gerrit.wikimedia.org/r/595620

Ottomata closed this task as Resolved.May 11 2020, 7:33 PM
Ottomata claimed this task.