Page MenuHomePhabricator
Create Task
Maniphest T419197

new CSP only allows localhost over TLS
Closed, ResolvedPublicBUG REPORT
Actions

Description

Loading JavaScript through a local server is typically used in development of userscripts. The CSP change earlier added https://localhost but not http://localhost. I don't know whether there's any risk of eavesdropping from Wikipedia to localhost. 127.0.0.1 might also need to be added.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow-list some additional domains to the currently enforcing CSPoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

DatGuy created this task.Mar 6 2026, 3:24 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 6 2026, 3:24 AM
revi subscribed.Mar 6 2026, 6:36 AM
Dragoniez subscribed.Mar 6 2026, 9:04 AM
Dragoniez added a comment.Mar 6 2026, 9:11 AM

If possible, I'd like to request that localhost:* also be allowed. Without this, web servers would need to run on port 443 only (for https), which usually requires admin privileges and is a bit too inconvenient.

Johannnes89 subscribed.Mar 6 2026, 9:32 AM
SomeRandomDeveloper subscribed.Mar 6 2026, 12:43 PM
sbassett added a project: 2026-user-javascript-incident.Mar 6 2026, 4:37 PM
sbassett added a parent task: T419265: CSP adjustments related to the 2026 user javascript incident.Mar 6 2026, 4:58 PM
EMill-WMF subscribed.Mar 6 2026, 5:01 PM

We plan to add support for http://localhost - thanks for flagging this.

sbassett subscribed.Mar 6 2026, 7:38 PM

We are now supporting http://localhost:* and https://localhost:* within the enforcing CSP, which hopefully unblocks this issue. (relevant config patch)

MBH subscribed.Mar 6 2026, 9:53 PM
Catrope closed this task as Resolved.Mar 6 2026, 11:04 PM
Catrope assigned this task to sbassett.
Nirmos subscribed.Mar 6 2026, 11:56 PM
sbassett mentioned this in T419234: CSP blocks access to publicai-proxy.alaexis.workers.dev; breaks citation verification userscript.Mar 9 2026, 6:12 PM
gerritbot added a comment.Mar 9 2026, 6:15 PM

Change #1249348 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1249348

gerritbot added a project: Patch-For-Review.Mar 9 2026, 6:15 PM
gerritbot added a comment.Mar 9 2026, 9:43 PM

Change #1249348 merged by Scott French:

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1249348

Maintenance_bot removed a project: Patch-For-Review.Mar 9 2026, 10:32 PM
Sportzpikachu mentioned this in T420539: Allow `ws://localhost:*` and `wss://localhost:*` in CSP.Wed, Mar 18, 10:21 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits