Page MenuHomePhabricator

QueryBuilder: User cannot Download query results
Closed, ResolvedPublicBUG REPORT


Steps to replicate the issue (include links if applicable):

  • Build a query in Query Builder
  • Hover to the right side, open the download menu, and click any file type

query that shows the issue

What happens?:

Download fails because of: Content Security Policy: The page’s settings blocked the loading of a resource at blob: (“default-src”).

What should have happened instead?:

Preferred data file type should have been downloaded to the local filesystem.

Software version (skip for WMF-hosted wikis like Wikipedia):

Last build: ba22b0b53a58bb3a4870d16db861a150d18f3b26

Other information (browser name/version, screenshots, etc.):

  • Firefox 107, openSUSE Tumbleweed
  • This works fine in a stand-alone embedded query results view
  • This works fine in Scholia also using the embedded query results view (e.g. here)

image.png (727×1 px, 80 KB)

Event Timeline

Lydia_Pintscher added a subscriber: Lydia_Pintscher.

It looks like this doesn't have anything to do with the query builder but instead is a generic query service ui issue. I'm adding the tag for that.
I followed the steps and I can not reproduce the issue (also in Firefox). Can someone else? My hunch is that there is some privacy setting/extension in your browser involved?

Thanks for the reply Lydia! Looks like this issue stems from the Content Security Policy set by the WikiData Query Builder server. I narrowed the issue down to a CSP restriction on the iframe sandbox. It tries to download a resource at blob: , but this violates the CSP default-src self; and connect-src 'self'; directives because the scheme does not match any of the listed sources. (when going directly to the page, I also didn't get this issue, because there is no longer an iframe that tries to download a blob object).

I'm not exactly sure what is necessary to resolve this issue, but I think there are two things to look at first:

  • add blob: to the connect-src directive in the CSP in the http headers (see MDN)
  • allow-downloads directive on the iframe sandbox (see MDN)

Note that Google's CSP evaluator already lists a high severity finding for this page ('unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.)

Ok then the link to the query is misleading. It's not actually happening in a stand-alone embedded view of the query result. Here is a link that shows the problem:$MM I'll update the task description.

Lydia_Pintscher renamed this task from QueryBuilder: Download fails because of Content Security Policy to QueryBuilder: User cannot Download query results.Dec 5 2022, 3:25 PM

Change 867141 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[wikidata/query-builder@master] Add allow-downloads to results iframe sandbox

Change 867142 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[operations/puppet@production] query_service: support downloads in query builder

As far as I can tell, that CSP error is actually limited to Firefox – in Chromium, the <iframe sandbox=""> attribute seems to be the only thing preventing the download. (I didn’t test any other browsers… insert diatribe about Google’s quasi-monopoly on the browser market here /s)

Change 867141 merged by jenkins-bot:

[wikidata/query-builder@master] Add allow-downloads to results iframe sandbox

Is this supposed to be fixed in Chrome? I still get the same error:

Screenshot 2022-12-13 at 10.04.59.png (344×972 px, 169 KB)

Change 867142 merged by Jbond:

[operations/puppet@production] query_service: support downloads in query builder

Now it should be working everywhere (I tested Firefox and Chromium).

Works for me now (tested using Chrome, macOS).
Thank you!

Looks good to me too :)

Thanks Lucas!