Page MenuHomePhabricator

WVUI and Codex demos: CSP stopping typeahead input demos working
Open, Needs TriagePublic

Description

For example: https://doc.wikimedia.org/wvui/master/ui/?path=/story/components-typeaheadsearch--configurable

Typing in the box has no effect and the browser console outputs errors like:

Content Security Policy: The page’s settings blocked the loading of a resource at https://en.wikipedia.org/w/rest.php/v1/search/title?q=W&limit=10 (“default-src”).

Event Timeline

Catrope renamed this task from WVUI Storybook demos: CSP stopping typeahead input demos working to WVUI and Codex demos: CSP stopping typeahead input demos working.Sat, Jan 15, 12:09 AM
Catrope added a subscriber: Catrope.

The same issue affects the Codex demo at https://doc.wikimedia.org/codex/main/components/lookup.html#with-fetched-results:

Refused to connect to 'https://www.wikidata.org/w/api.php?origin=*&action=wbsearchentities&format=json&search=m&language=en&limit=10&props=url' because it violates the following Content Security Policy directive: "default-src 'self' data:". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.

The demo tries to use fetch() to get search results from wikidata.org (as it's demonstrating a search-like component), but the strict CSP rules introduced by T213223 block this request.

Change 754048 had a related patch set uploaded (by Catrope; author: Catrope):

[operations/puppet@production] doc.wikimedia.org CSP: Allow XHR requests to Wikipedia and Wikidata

https://gerrit.wikimedia.org/r/754048

I've uploaded a patch that relaxes the CSP rules for doc.wikimedia.org to allow these requests, but I think these should be reviewed and approved by the Security-Team before we make that change. (cc @sbassett who was involved in setting these CSP rules in 2019)

Hey @Catrope - I left a comment on the patch and Security-Team chatted about this at our clinic this morning.

Hey @Catrope - I left a comment on the patch and Security-Team chatted about this at our clinic this morning.

Thanks! I see a +1 review on Gerrit, so unless you tell me otherwise I'll interpret that as approval and I'll ask for review and merge from the SRE team.