Page MenuHomePhabricator

wdqs-wmil-tutorial tool causes visiting browser to load data from 3rd party sites
Closed, ResolvedPublic

Description

Recent CSP violation reports can be seen at https://csp-report.toolforge.org/search?ft=wdqs-wmil-tutorial

The theme of the WordPress install here is the most likely source of requests to Google and Gravatar servers. There seem to also be some requests to the legacy hosting environment at wikidata.wwwnlsrc4.supercp.com.

  • The local cdnjs and fontcdn privacy protecting proxies can and should be used instead for the assets loaded from Google.
  • Gravatar integration can be disabled using the WordPress admin interface.
  • References to the prior hosting location should be fixed to point to the new tool instead.

Event Timeline

bd808 created this task.May 12 2020, 12:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 12 2020, 12:33 AM

thanks @bd808! I've managed to address most of the issues. It looks like over last week (since I made changes), there were only plugin etc icons loaded from ps.w.org which is probably something to not be changed.

bd808 closed this task as Resolved.Jul 2 2020, 9:00 PM
bd808 assigned this task to WMDE-leszek.

Based on the 2020-07-02 content of https://csp-report.toolforge.org/search?ft=wdqs-wmil-tutorial, it looks like 3rd party data loads are now limited to URLs under https://wdqs-wmil-tutorial.toolforge.org/wp-admin/ which are not end user facing. These loads will fail when we finally flip the Content-Security-Policy from report-only to enforced, but that seems unlikely to break the tool.