Page MenuHomePhabricator

wdqs-wmil-tutorial tool causes visiting browser to load data from 3rd party sites
Closed, ResolvedPublic


Recent CSP violation reports can be seen at

The theme of the WordPress install here is the most likely source of requests to Google and Gravatar servers. There seem to also be some requests to the legacy hosting environment at

  • The local cdnjs and fontcdn privacy protecting proxies can and should be used instead for the assets loaded from Google.
  • Gravatar integration can be disabled using the WordPress admin interface.
  • References to the prior hosting location should be fixed to point to the new tool instead.

Event Timeline

thanks @bd808! I've managed to address most of the issues. It looks like over last week (since I made changes), there were only plugin etc icons loaded from which is probably something to not be changed.

bd808 assigned this task to WMDE-leszek.

Based on the 2020-07-02 content of, it looks like 3rd party data loads are now limited to URLs under which are not end user facing. These loads will fail when we finally flip the Content-Security-Policy from report-only to enforced, but that seems unlikely to break the tool.