Page MenuHomePhabricator
Create Task
Maniphest T305700

Enabling CORS for raw file URLs
Closed, DuplicatePublic
Actions

Description

In the Web2Cit project, we host some JSON schema files in the Gitlab repository.

We would like these files to be accessible from online JSON editors, to make it easier for our users to edit JSON files following these schemas.

However, that doesn't seem possible because the Gitlab server is not sending a Access-Control-Allow-Origin: * in the response.

This has been requested upstream, but it hasn't been resolved yet. In the meantime, using external services has been proposed as a workaround, such as https://raw.githack.com/, https://statically.io/. However, these do not work for the Wikimedia instance of Gitlab.

Would it make sense implementing this in Wikimedia's Gitlab? Or would there be a workaround, other than deploying these files to a separate domain using Gitlab CI?

Related Objects

Event Timeline

diegodlh created this task.Apr 8 2022, 2:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2022, 2:08 PM
RhinosF1 subscribed.Apr 8 2022, 2:29 PM
diegodlh added a comment.Apr 8 2022, 2:31 PM

Just adding that as a workaround I configured mirroring the repository to Github and I'm using Github raw file URLs for now, which do support CORS. For example: https://raw.githubusercontent.com/web2cit/w2c-core/main/schema/templates.schema.json

Stang added projects: Security-Team, Security.Apr 8 2022, 2:33 PM
Reedy updated the task description. (Show Details)Apr 11 2022, 4:22 PM
sbassett edited projects, added Release-Engineering-Team, SecTeam-Processed; removed Security-Team.EditedApr 11 2022, 4:23 PM
sbassett subscribed.

Tagging Release-Engineering-Team for review. I think there's maybe two security questions here:

  1. Is Wikimedia's Gitlab installation designed to function as a CDN like github's? Or is that a potential Vuln-DoS? That's a question for Release Engineering, as they are the ostensible maintainers of that system.
  2. Is there any way to mitigate the possibility of nefarious or erroneous json config files being introduced into this repository? That really ends up being a question of what safety profile maintainers of a repository like this are comfortable with. I assume some level of permissions, code-review and automated tests are established for this repository, which should prevent most scenarios concerning malicious versions of a hosted config file being accidentally or intentionally introduced.
thcipriani edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team.Apr 13 2022, 4:35 PM
brennen edited projects, added Upstream, GitLab (Infrastructure); removed GitLab.Apr 13 2022, 11:47 PM
brennen subscribed.

Is Wikimedia's Gitlab installation designed to function as a CDN like github's? Or is that a potential Vuln-DoS? That's a questions Release Engineering, as they are the ostensible maintainers of that system.

Not consciously, really. That's not to say that it would necessarily be a bad idea, but I don't really think we've factored it in to the current buildout and it's not in the scope of our current focus on just replacing Gerrit & CI.

I'll confess that I'm uncertain whether there are dangerous implications to the Access-Control-Allow-Origin header here.

I wonder if it might be better to just define a standard way of publishing static files to something actually intended as a CDN for this use case. Possibly relevant: T303546: Gitlab CI should be able to publish static html docs.

sbassett added a comment.Apr 14 2022, 3:44 PM
In T305700#7854175, @brennen wrote:

I'll confess that I'm uncertain whether there are dangerous implications to the Access-Control-Allow-Origin header here.

If we're talking read-only stuff with content-type: text/plain (I believe this is the case for all "raw" files in Gitlab), I don't think there should be any issues with setting Access-Control-Allow-Origin: *. Given the upstream link within the task description, that still does not appear to be a feature within Gitlab? I'd guess this might be possible though, with some manual config for nginx?

I wonder if it might be better to just define a standard way of publishing static files to something actually intended as a CDN for this use case. Possibly relevant: T303546: Gitlab CI should be able to publish static html docs.

Possibly, though I think doc.wikimedia.org still makes the most sense for that particular task, IMO. It might be worth using something like wmfusercontent.org (or a similar, new domain/server) to host gitlab-related raw content, as we do for Phabricator. That would provide for a bit more security/isolation and could be built to function as an intentional CDN.

brennen added a comment.Apr 14 2022, 3:56 PM

It might be worth using something like wmfusercontent.org (or a similar, new domain/server) to host gitlab-related raw content, as we do for Phabricator. That would provide for a bit more security/isolation and could be built to function as an intentional CDN.

Tentatively at least, I like that approach.

diegodlh mentioned this in T318352: Consider serving JSON schemas from Web2Cit server.Sep 22 2022, 3:15 PM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:35 PM
thcipriani edited projects, added GitLab (Upstream pit of despair 🕳️); removed GitLab (Infrastructure).Mar 8 2023, 9:31 PM
thcipriani closed this task as a duplicate of T321458: Allow Javascript files from Wikimedia GitLab to be loaded as scripts in Wikimedia wikis.Mar 8 2023, 9:34 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL