Add CSP headers for the linkrecommendation API sandbox
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	Tgr
	Jun 6 2023, 12:48 PM

Description

To avoid problems like T338094: Dom based reflected XSS at https://api.wikimedia.org/service/linkrecommendation/apidocs/, the Swagger sandbox for the linkrecommendation API should come with restrictive CSP rules which disallow fetching resources from another domain.
(The same probably goes for other api.wikimedia.org APIs as well, but the mechanism of achieving it might differ from API to API.)

Related Objects

Mentioned In: T338094: Dom based reflected XSS at https://api.wikimedia.org/service/linkrecommendation/apidocs/
Mentioned Here: T338094: Dom based reflected XSS at https://api.wikimedia.org/service/linkrecommendation/apidocs/

Event Timeline

Tgr created this task.Jun 6 2023, 12:48 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2023, 12:48 PM

Tgr mentioned this in T338094: Dom based reflected XSS at https://api.wikimedia.org/service/linkrecommendation/apidocs/.Jun 6 2023, 12:48 PM

Tgr moved this task from Inbox to Triaged on the Growth-Team board.Jun 8 2023, 9:18 PM

Add CSP headers for the linkrecommendation API sandboxOpen, Needs TriagePublicActions

Description

Related Objects

Event Timeline

Add CSP headers for the linkrecommendation API sandbox
Open, Needs TriagePublic
Actions