XTools gadget triggers CSP violation warning when previewing any CN banner
Closed, DuplicatePublicBUG REPORT
Actions

Assigned To

None

Authored By

	jeremyb
	Sep 11 2024, 8:18 PM

Description

make a new account at enwiki
enable XTools gadget in gadget tab of user preferences
visit https://en.wikipedia.org/wiki/Talk:Alex_Rodriguez?banner=B24_WMDE_Desktop_DE_05_ctrl
get JS alert() with Content Security Policy violation detected! Tried to load something from https://xtools.wmcloud.org/api/page/articleinfo/en.wikipedia.org/Talk:Alex_Rodriguez?format=html&uselang=en.

seems like this happens with any article, any CN banner. not a default gadget but I imagine not rare. does CSP somehow change when a banner is loaded?

Related Objects

Mentioned In: T374625: new wording for CN &banner= CSP error message
Mentioned Here: T199055: &banner causes CSP warning

Event Timeline

jeremyb created this task.Sep 11 2024, 8:18 PM

Yes, this happens any time a banner is previewed and resources are loaded from an external (including wmcloud/toolforge) domain. It's intended as a security feature to ensure centralnotice admins don't accidentally load external resources in banners. See T199055 where changing this was declined

Pcoombe closed this task as a duplicate of T199055: &banner causes CSP warning.Sep 12 2024, 12:43 PM

jeremyb mentioned this in T374625: new wording for CN &banner= CSP error message.Sep 12 2024, 2:37 PM

• MusikAnimal moved this task from Backlog to Complete on the XTools board.Oct 24 2024, 3:37 AM

XTools gadget triggers CSP violation warning when previewing any CN bannerClosed, DuplicatePublicBUG REPORTActions

Description

Related Objects

Event Timeline

XTools gadget triggers CSP violation warning when previewing any CN banner
Closed, DuplicatePublicBUG REPORT
Actions