Page MenuHomePhabricator
Create Task
Maniphest T323451

QueryBuilder: User cannot Download query results
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Build a query in Query Builder
  • Hover to the right side, open the download menu, and click any file type

query that shows the issue

What happens?:

Download fails because of: Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://query.wikidata.org/0959a91f-1f2b-4561-94e1-10bbfa778fef (“default-src”).

What should have happened instead?:

Preferred data file type should have been downloaded to the local filesystem.

Software version (skip for WMF-hosted wikis like Wikipedia):

Last build: ba22b0b53a58bb3a4870d16db861a150d18f3b26

Other information (browser name/version, screenshots, etc.):

  • Firefox 107, openSUSE Tumbleweed
  • This works fine in a stand-alone embedded query results view
  • This works fine in Scholia also using the embedded query results view (e.g. here)

image.png (727×1 px, 80 KB)

Details

SubjectRepoBranchLines +/-
query_service: support downloads in query builderoperations/puppetproduction+1 -1
Add allow-downloads to results iframe sandboxwikidata/query-buildermaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Puikstekend created this task.Nov 20 2022, 11:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2022, 11:15 AM
Maintenance_bot added a project: Wikidata.Nov 20 2022, 11:29 AM
Lydia_Pintscher added projects: TestMe, Wikidata Query UI.Nov 21 2022, 6:22 PM
Lydia_Pintscher subscribed.

It looks like this doesn't have anything to do with the query builder but instead is a generic query service ui issue. I'm adding the tag for that.
I followed the steps and I can not reproduce the issue (also in Firefox). Can someone else? My hunch is that there is some privacy setting/extension in your browser involved?

Puikstekend added a comment.Nov 22 2022, 8:26 AM

Thanks for the reply Lydia! Looks like this issue stems from the Content Security Policy set by the WikiData Query Builder server. I narrowed the issue down to a CSP restriction on the iframe sandbox. It tries to download a resource at blob:https://query.wikidata.org/xxx , but this violates the CSP default-src self; and connect-src 'self' https://www.wikidata.org https://meta.wikimedia.org; directives because the scheme does not match any of the listed sources. (when going directly to the https://query.wikidata.org/embed.html page, I also didn't get this issue, because there is no longer an iframe that tries to download a blob object).

I'm not exactly sure what is necessary to resolve this issue, but I think there are two things to look at first:

  • add blob:https://query.wikidata.org to the connect-src directive in the CSP in the http headers (see MDN)
  • allow-downloads directive on the iframe sandbox (see MDN)

Note that Google's CSP evaluator already lists a high severity finding for this page ('unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.)

Lydia_Pintscher added a comment.Nov 22 2022, 8:46 AM

Aha!
Ok then the link to the query is misleading. It's not actually happening in a stand-alone embedded view of the query result. Here is a link that shows the problem: https://w.wiki/5$MM I'll update the task description.

Lydia_Pintscher updated the task description. (Show Details)Nov 22 2022, 8:50 AM
Lydia_Pintscher removed a project: TestMe.
Lydia_Pintscher added a project: Wikidata Dev Team.Dec 2 2022, 3:06 PM
Lydia_Pintscher moved this task from Incoming to Product Backlog on the Wikidata Dev Team board.
Lydia_Pintscher triaged this task as Low priority.Dec 2 2022, 3:19 PM
Lydia_Pintscher renamed this task from QueryBuilder: Download fails because of Content Security Policy to QueryBuilder: User cannot Download query results.Dec 5 2022, 3:25 PM
Lydia_Pintscher moved this task from Product Backlog to Unified DOT Backlog on the Wikidata Dev Team board.Dec 5 2022, 3:36 PM
Lydia_Pintscher merged a task: T324847: Download result buttons on Wikidata have no effect.Dec 9 2022, 3:06 PM
Lydia_Pintscher added a subscriber: Palpalpalpal.
Lucas_Werkmeister_WMDE claimed this task.Dec 12 2022, 11:21 AM
Lucas_Werkmeister_WMDE edited projects, added Wikidata Dev Team (Sprint-∞); removed Wikidata Dev Team.
Lucas_Werkmeister_WMDE moved this task from Parents/Waiting to Doing on the Wikidata Dev Team (Sprint-∞) board.
gerritbot added a comment.Dec 12 2022, 11:56 AM

Change 867141 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[wikidata/query-builder@master] Add allow-downloads to results iframe sandbox

https://gerrit.wikimedia.org/r/867141

gerritbot added a project: Patch-For-Review.Dec 12 2022, 11:56 AM

Change 867142 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[operations/puppet@production] query_service: support downloads in query builder

https://gerrit.wikimedia.org/r/867142

Lucas_Werkmeister_WMDE moved this task from Doing to Peer Review on the Wikidata Dev Team (Sprint-∞) board.Dec 12 2022, 11:57 AM
Lucas_Werkmeister_WMDE added a comment.Dec 12 2022, 12:02 PM

As far as I can tell, that CSP error is actually limited to Firefox – in Chromium, the <iframe sandbox=""> attribute seems to be the only thing preventing the download. (I didn’t test any other browsers… insert diatribe about Google’s quasi-monopoly on the browser market here /s)

gerritbot added a comment.Dec 12 2022, 5:15 PM

Change 867141 merged by jenkins-bot:

[wikidata/query-builder@master] Add allow-downloads to results iframe sandbox

https://gerrit.wikimedia.org/r/867141

Palpalpalpal added a comment.Dec 13 2022, 9:05 AM

Is this supposed to be fixed in Chrome? I still get the same error:

Screenshot 2022-12-13 at 10.04.59.png (344×972 px, 169 KB)

Lucas_Werkmeister_WMDE added a comment.Dec 13 2022, 10:07 AM

No, not yet.

gerritbot added a comment.Dec 13 2022, 5:04 PM

Change 867142 merged by Jbond:

[operations/puppet@production] query_service: support downloads in query builder

https://gerrit.wikimedia.org/r/867142

Lucas_Werkmeister_WMDE moved this task from Peer Review to Product Verification on the Wikidata Dev Team (Sprint-∞) board.Dec 13 2022, 5:08 PM

Now it should be working everywhere (I tested Firefox and Chromium).

Maintenance_bot removed a project: Patch-For-Review.Dec 13 2022, 5:29 PM
Palpalpalpal added a comment.Dec 13 2022, 5:43 PM

Works for me now (tested using Chrome, macOS).
Thank you!

Arian_Bozorg subscribed.Dec 19 2022, 12:40 PM

Looks good to me too :)

Thanks Lucas!

Arian_Bozorg closed this task as Resolved.Dec 19 2022, 12:41 PM
Arian_Bozorg moved this task from Product Verification to Our work done on the Wikidata Dev Team (Sprint-∞) board.
karapayneWMDE moved this task from Our work done to 2022 Completed Tasks on the Wikidata Dev Team (Sprint-∞) board.Dec 20 2022, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL