Page MenuHomePhabricator

QueryBuilder: User cannot Download query results
Closed, ResolvedPublicBUG REPORT


Steps to replicate the issue (include links if applicable):

  • Build a query in Query Builder
  • Hover to the right side, open the download menu, and click any file type

query that shows the issue

What happens?:

Download fails because of: Content Security Policy: The page’s settings blocked the loading of a resource at blob: (“default-src”).

What should have happened instead?:

Preferred data file type should have been downloaded to the local filesystem.

Software version (skip for WMF-hosted wikis like Wikipedia):

Last build: ba22b0b53a58bb3a4870d16db861a150d18f3b26

Other information (browser name/version, screenshots, etc.):

  • Firefox 107, openSUSE Tumbleweed
  • This works fine in a stand-alone embedded query results view
  • This works fine in Scholia also using the embedded query results view (e.g. here)

image.png (727×1 px, 80 KB)

Event Timeline

Lydia_Pintscher subscribed.

It looks like this doesn't have anything to do with the query builder but instead is a generic query service ui issue. I'm adding the tag for that.
I followed the steps and I can not reproduce the issue (also in Firefox). Can someone else? My hunch is that there is some privacy setting/extension in your browser involved?

Thanks for the reply Lydia! Looks like this issue stems from the Content Security Policy set by the WikiData Query Builder server. I narrowed the issue down to a CSP restriction on the iframe sandbox. It tries to download a resource at blob: , but this violates the CSP default-src self; and connect-src 'self'; directives because the scheme does not match any of the listed sources. (when going directly to the page, I also didn't get this issue, because there is no longer an iframe that tries to download a blob object).

I'm not exactly sure what is necessary to resolve this issue, but I think there are two things to look at first:

  • add blob: to the connect-src directive in the CSP in the http headers (see MDN)
  • allow-downloads directive on the iframe sandbox (see MDN)

Note that Google's CSP evaluator already lists a high severity finding for this page ('unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.)

Ok then the link to the query is misleading. It's not actually happening in a stand-alone embedded view of the query result. Here is a link that shows the problem:$MM I'll update the task description.

Lydia_Pintscher renamed this task from QueryBuilder: Download fails because of Content Security Policy to QueryBuilder: User cannot Download query results.Dec 5 2022, 3:25 PM

Change 867141 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[wikidata/query-builder@master] Add allow-downloads to results iframe sandbox

Change 867142 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[operations/puppet@production] query_service: support downloads in query builder

As far as I can tell, that CSP error is actually limited to Firefox – in Chromium, the <iframe sandbox=""> attribute seems to be the only thing preventing the download. (I didn’t test any other browsers… insert diatribe about Google’s quasi-monopoly on the browser market here /s)

Change 867141 merged by jenkins-bot:

[wikidata/query-builder@master] Add allow-downloads to results iframe sandbox

Is this supposed to be fixed in Chrome? I still get the same error:

Screenshot 2022-12-13 at 10.04.59.png (344×972 px, 169 KB)

Change 867142 merged by Jbond:

[operations/puppet@production] query_service: support downloads in query builder

Now it should be working everywhere (I tested Firefox and Chromium).

Works for me now (tested using Chrome, macOS).
Thank you!