Page MenuHomePhabricator

Uncaught SecurityError: Failed to construct 'Worker': Access to the script at 'blob:https://ca.wikipedia.org/92522a15-8318-403f-bb45-8e554fc893c0' is denied by the document's Content Security Policy.
Closed, ResolvedPublic

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Krinkle subscribed.

Has no impact on any of the features involved. The dedicated stack is optional and may fail. Untagging from prod errors as such.

Uncaught SecurityError: Failed to construct 'Worker': Access to the script at 'blob:https://ca.wikipedia.org/92522a15-8318-403f-bb45-8e554fc893c0' is denied by the document's Content Security Policy.

The underlying issue appears to be due to CentralNotice overriding the CSP policy and thus undoing core's allowance of blob: URLs.

Regular CSP on page views
content-security-policy-report-only
	script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline'; object-src 'none'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1
Banner CSP override
content-security-policy
	script-src 'unsafe-eval' 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline'; default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org www.pages04.net; style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline';

Change 616583 had a related patch set uploaded (by SBassett; owner: SBassett):
[operations/mediawiki-config@master] Adding blob: to CentralNoticeContentSecurityPolicy script-src directive

https://gerrit.wikimedia.org/r/616583

Change 616583 merged by jenkins-bot:
[operations/mediawiki-config@master] Adding blob: to CentralNoticeContentSecurityPolicy script-src directive

https://gerrit.wikimedia.org/r/616583

Mentioned in SAL (#wikimedia-operations) [2020-07-27T21:31:45Z] <sbassett@deploy1001> Synchronized wmf-config/CommonSettings.php: Deployed CentralNotice CSP conifg change for T258459 (duration: 00m 57s)

sbassett triaged this task as Low priority.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.