Page MenuHomePhabricator
Create Task
Maniphest T252484

wdqs-wmil-tutorial tool causes visiting browser to load data from 3rd party sites
Closed, ResolvedPublic
Actions

Description

Recent CSP violation reports can be seen at https://csp-report.toolforge.org/search?ft=wdqs-wmil-tutorial

The theme of the WordPress install here is the most likely source of requests to Google and Gravatar servers. There seem to also be some requests to the legacy hosting environment at wikidata.wwwnlsrc4.supercp.com.

  • The local cdnjs and fontcdn privacy protecting proxies can and should be used instead for the assets loaded from Google.
  • Gravatar integration can be disabled using the WordPress admin interface.
  • References to the prior hosting location should be fixed to point to the new tool instead.

Related Objects
Search...

Event Timeline

bd808 created this task.May 12 2020, 12:33 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 12 2020, 12:33 AM
bd808 added a parent task: T172065: Hunt for Toolforge tools that load resources from third party sites.May 12 2020, 12:33 AM
WMDE-leszek added a comment.May 25 2020, 7:42 AM

thanks @bd808! I've managed to address most of the issues. It looks like over last week (since I made changes), there were only plugin etc icons loaded from ps.w.org which is probably something to not be changed.

bd808 closed this task as Resolved.Jul 2 2020, 9:00 PM
bd808 assigned this task to WMDE-leszek.

Based on the 2020-07-02 content of https://csp-report.toolforge.org/search?ft=wdqs-wmil-tutorial, it looks like 3rd party data loads are now limited to URLs under https://wdqs-wmil-tutorial.toolforge.org/wp-admin/ which are not end user facing. These loads will fail when we finally flip the Content-Security-Policy from report-only to enforced, but that seems unlikely to break the tool.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL