Page MenuHomePhabricator
Create Task
Maniphest T416994

CSP violation using Cloud VPS endpoint on Wikidata
Closed, InvalidPublic
Actions

Description

We have a Cloud VPS instance at https://prove.wmcloud.org/, which we use to host ProVe (a tool for helping editors improve the references of Wikidata items). We have created the Cloud VPS instance following the guidance in task T408387.

Our intention is to use this Cloud VPS instance to host ProVe and serve Wikidata users via a gadget. Until we get a gadget, we use the JavaScript file located at https://www.wikidata.org/wiki/User:1hangzhao/ProVe.js. Currently, it points to our HPS Cluster at https://kclwqt.sites.er.kcl.ac.uk/. When trying to swap to our new domain, we encountered the following issue:

Connecting to 'https://prove.wmcloud.org/api/items/checkItemStatus?qid=Q42395533' violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback. The policy is report-only, so the violation has been logged but no further action has been taken.

We followed the instructions from Wikitech to open the DNS and port for API access, and it works when accessed externally via https://prove.wmcloud.org/apidocs. However, when accessing directly from Wikidata's page, this CSP issue occurs.

Upon reaching out via the #wikimedia-cloud libera.cat, we received the following instruction:

[16:45:02] <bd808> NathanGavenski: there are browser add-ons that can change the CSP protection locally for you. When you use a tool like that you are exposing your web application use to risks that the app authors wanted to protect you from (3rd party content interaction).

However, this doesn't work since the idea is for the user to import ProVe in their common.js file and use it as a gadget on Wikidata items.

Is there anything I can do on my end to prevent the CSP violation? Or is this a Wikidata directive?

Related Objects

Event Timeline

NathanGavenski created this task.Tue, Feb 10, 11:21 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Feb 10, 11:21 AM
NathanGavenski added projects: Cloud-VPS, cloud-services-team.Tue, Feb 10, 11:23 AM
Aklapper renamed this task from Using CloudVPS endpoint on Wikidata to CSP violation using CloudVPS endpoint on Wikidata.Tue, Feb 10, 12:41 PM
Lucas_Werkmeister_WMDE added projects: ContentSecurityPolicy, Wikidata.Tue, Feb 10, 1:13 PM
Lucas_Werkmeister_WMDE subscribed.

You should get the same warning for your old domain as well (or at least, I can see it when I try out ProVe in a private window). Also, note that the CSP is currently in report-only mode (as mentioned at the end of the message), so nothing is actually being blocked. I believe the plan is to have some opt-out mechanism for users (“allow my gadgets / user scripts to connect to domains X, Y, Z”) before the CSP will be enforced (T208188).

fnegri moved this task from Inbox to Watching on the cloud-services-team board.Wed, Feb 18, 3:09 PM
taavi removed a project: Cloud-VPS.Wed, Feb 18, 3:09 PM
fnegri closed this task as Invalid.Wed, Feb 18, 3:28 PM
fnegri subscribed.

@NathanGavenski as @Lucas_Werkmeister_WMDE explained above, I think the warning you see is to be expected, and it should not currently limit the use of your gadget.

To prevent your gadget from being blocked in the future if the CSP is enforced, I would suggest following the task that Lucas mentioned (T208188: RFC: Partial opt-out method for Content security policy), but in any case I don't think there's a plan to enforce this in the near future.

I will close this task as Invalid as there is nothing we should do about this from the Cloud VPS side. Let us know if you have further questions.

bd808 renamed this task from CSP violation using CloudVPS endpoint on Wikidata to CSP violation using Cloud VPS endpoint on Wikidata.Wed, Feb 18, 9:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits