Maniphest T258232

fontcdn.toolforge.org loads assets for detail views directly from google
Open, MediumPublic
Actions

Assigned To

None

Authored By

	bd808
	Jul 16 2020, 11:31 PM

Tags

Referenced Files

None

Subscribers

Description

https://csp-report.toolforge.org/search?ft=fontcdn

The front end UI for our privacy enhancing reverse proxy to https://fonts.googleapis.com calls out directly to https://fonts.googleapis.com when you click on a font to see the URLs to use to load it via the proxy.

Steps to reproduce:

Browse to https://fontcdn.toolforge.org/
Open js console/developer tools
Click on any font card (for example Roboto)
Watch the long stream of CSP violation warnings scroll by

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open		None	T133919 [EPIC] Protect end-user privacy by restricting non-consensual third-party browser interactions
		Open		None	T130748 Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses
		Open		None	T172065 Hunt for Toolforge tools that load resources from third party sites
		Open		None	T258232 fontcdn.toolforge.org loads assets for detail views directly from google

Event Timeline

bd808 created this task.Jul 16 2020, 11:31 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 16 2020, 11:31 PM

Nintendofan885 subscribed.Jul 17 2020, 7:16 AM

• nskaggs triaged this task as Medium priority.Aug 11 2020, 4:19 PM

Aklapper added projects: Privacy Engineering, Privacy.Jul 4 2022, 8:26 PM

• JFishback_WMF moved this task from Incoming to Watching on the Privacy Engineering board.Jul 5 2022, 5:03 PM

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:13 PM

fnegri moved this task from Kanban to Inbox on the cloud-services-team board.