Page MenuHomePhabricator
Create Task
Maniphest T390679

CSP Warnings in LatAM banners
Closed, DeclinedPublic
Actions

Description

Several users have reported seeing Content Security Policy (CSP) violation warnings when presented with the latest LatAM campaign banners listed here. The warnings report that the banners pull resources from external domains (e.g., wmcloud.org, wmflabs.org).

When trying to recreate the problem, I also got CSP warnings in Chrome reporting that the inbuilt Google Translate tool was violating the same rules and includes non-approved domains. This might have been an unhelpful distraction. Examples here

Related Objects

Event Timeline

jgleeson created this task.Apr 1 2025, 10:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 1 2025, 10:45 AM
jgleeson added a comment.Apr 1 2025, 10:46 AM

Pasting this from Slack:

Peter Coombe
The warnings are due to T193332. It happens when custom scripts are enabled which load from external domains. Previewing a banner triggers a higher security mode, which flags up warnings about external content. This is intended for centralnotice admins to ensure they don't ever include external content in a banner, but in practice it seems to just cause confusion every time links are shared.
Note that this only happens when previewing a banner, not when it is shown as part of a campaign.
It used to be possible to add &safemode=1 in the links to disable custom scripts, but this causes other layout issues (due to disabling site styles) and it appears it no longer shows banners https://es.wikipedia.org/wiki/Wikipedia?banner=B2425_0210_esLA_dsk_p1_lg_txt_launchCnt&country=MX&safemode=1
fr-tech declined to remove the warning in T199055, but I would ask that this is revisited. Or at least change the wording as suggested in T374625

Ejegg closed this task as Declined.Apr 7 2025, 7:33 PM
Ejegg subscribed.

Let's change the wording of the warning! We'll bring in T374625 and decline this ticket since there's no work specific to the LatAM banners.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits