Came across this interesting bug today
The stack trace points to the emitCpuBenchmark function
Description
Details
Event Timeline
Has no impact on any of the features involved. The dedicated stack is optional and may fail. Untagging from prod errors as such.
Uncaught SecurityError: Failed to construct 'Worker': Access to the script at 'blob:https://ca.wikipedia.org/92522a15-8318-403f-bb45-8e554fc893c0' is denied by the document's Content Security Policy.
- Request ID: 5ae6ede9-d23a-4c59-ac9f-3e10127ef4ad
- URL: https://ca.wikipedia.org/wiki/NASA?banner=B1920_0301_mlWW_dsk_p1_lg_cnt&country=ES
The underlying issue appears to be due to CentralNotice overriding the CSP policy and thus undoing core's allowance of blob: URLs.
content-security-policy-report-only script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline'; object-src 'none'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1
content-security-policy script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org www.pages04.net; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline';
Change 616583 had a related patch set uploaded (by SBassett; owner: SBassett):
[operations/mediawiki-config@master] Adding blob: to CentralNoticeContentSecurityPolicy script-src directive
Change 616583 merged by jenkins-bot:
[operations/mediawiki-config@master] Adding blob: to CentralNoticeContentSecurityPolicy script-src directive
Mentioned in SAL (#wikimedia-operations) [2020-07-27T21:31:45Z] <sbassett@deploy1001> Synchronized wmf-config/CommonSettings.php: Deployed CentralNotice CSP conifg change for T258459 (duration: 00m 57s)