Page MenuHomePhabricator
Create Task
Maniphest T268868

Suspicious typeface file names loading on arwiki from Toolforge
Closed, ResolvedPublicSecurity
Actions

Description

When testing CentralNotice banners, the stricter Content Security Policy was throwing up a series of warnings.

This relates to series of font files that are being defined here:

https://ar.wikipedia.org/wiki/%D9%85%D9%8A%D8%AF%D9%8A%D8%A7%D9%88%D9%8A%D9%83%D9%8A:Ruqaa.css

And are being pulled in by default to the sites common.css.

The previous characters were removed here with the edit summary ' The line was removed because the system no longer supports links from Tulabs ' (إزالة السطر بسبب أن النظام لم يعد يدعم الروابط القادمة من التولابز). The new fonts were added in in this edit. Both by the same user.

The file names were what looked most suspect to me and I can believe there is a good faith reason for doing this. But loading in any files for an entire site from labs in this way should not be the done thing.

Related Objects

Event Timeline

Jseddon created this task.Nov 27 2020, 3:32 AM
Restricted Application added subscribers: alaa, Aklapper. · View Herald TranscriptNov 27 2020, 3:32 AM
Reedy subscribed.Nov 27 2020, 3:46 AM

See also T209998: Privacy break on eu.wikipedia.org loading font from toolforge (https://tools-static.wmflabs.org/fontcdn/)

Reedy added a project: Privacy.Nov 27 2020, 4:12 AM
Reedy added a project: Privacy Engineering.
Reedy added a comment.Nov 27 2020, 4:16 AM

Removed in https://ar.wikipedia.org/w/index.php?title=%D9%85%D9%8A%D8%AF%D9%8A%D8%A7%D9%88%D9%8A%D9%83%D9%8A%3ARuqaa.css&type=revision&diff=51658993&oldid=41102117

Reedy added a comment.Nov 27 2020, 4:17 AM

Going to make the task public incase of further discussion/communication with the community (no private data etc in this ticket)

Reedy added a project: ContentSecurityPolicy.Nov 27 2020, 4:17 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
DannyS712 subscribed.Nov 27 2020, 4:30 AM
alaa added a comment.Nov 27 2020, 11:28 AM

Thanks @Reedy & @Jseddon.
If you want I can put a notice on arwiki village pump about this, and ping the user who made those edits (Adding per community request to use on the Mathematical equations).

Reedy added a comment.Nov 27 2020, 3:45 PM

Feel free :)

Nintendofan885 renamed this task from Suspicious typeface file names loading on arwiki from labs to Suspicious typeface file names loading on arwiki from Toolforge.Nov 27 2020, 3:53 PM
alaa added subscribers: FShbib, Meno25, ASammour.Nov 27 2020, 5:36 PM
alaa added a subscriber: Zack.Nov 27 2020, 5:52 PM
Reedy closed this task as Resolved.Nov 30 2020, 4:21 PM
Reedy claimed this task.
Meno25 removed a subscriber: FShbib.Jan 14 2023, 10:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL