Page MenuHomePhabricator
Create Task
Maniphest T419318

Loading scripts or stylesheets from https://tools-static.wmflabs.org/cdnjs/ generates CSP warning
Closed, InvalidPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • In the browser console on an English Wikipedia page, enter one of the following:
    • mw.loader.load('https://tools-static.wmflabs.org/cdnjs/ajax/libs/select2/4.0.13/css/select2.min.css', 'text/css');
    • mw.loader.getScript('https://tools-static.wmflabs.org/cdnjs/ajax/libs/select2/4.0.13/js/select2.min.js');

What happens?:
An error message like one of the following is produced:

Loading the stylesheet 'https://tools-static.wmflabs.org/cdnjs/ajax/libs/select2/4.0.13/css/select2.min.css' violates the following Content Security Policy directive: "style-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org wikimedia.org 'unsafe-inline'". Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback. The policy is report-only, so the violation has been logged but no further action has been taken.
Loading the script 'https://tools-static.wmflabs.org/cdnjs/ajax/libs/select2/4.0.13/js/select2.min.js' violates the following Content Security Policy directive: "script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org *.mediawiki.org 'unsafe-inline' auth.wikimedia.org". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback. The policy is report-only, so the violation has been logged but no further action has been taken.

What should have happened instead?:
Script or stylesheet should load without producing an error, and wmflabs.org should be one of the domains listed.

Other information (browser name/version, screenshots, etc.):
Opening this as a separate bug per the advice in T419237

Related Objects
Search...

Event Timeline

Ahecht created this task.Mar 7 2026, 4:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 7 2026, 4:28 PM
EMill-WMF subscribed.Mar 7 2026, 5:29 PM

Did functionality break, or are you just noting the error in the console? The error messages describe that these are report-only violations, so no further action was taken besides logging it.

We may adjust our report only policy, but at least right now, it is expected that the report only set is stricter, so that we continue to get a sense of volume of usage. These reports are how we calibrate our CSP policy to understand real-world use and minimize breakage.

A_smart_kitten added a parent task: T419265: CSP adjustments related to the 2026 user javascript incident.Mar 8 2026, 12:45 PM
JeanFred mentioned this in T419559: d:User:Lectrician1/discographies3.js & d:User:Lectrician1/embeds.js no longer working following CSP deployment.Mar 11 2026, 6:38 AM
Rsilvola added a project: Security-Team.Mar 13 2026, 1:55 PM
Rsilvola moved this task from Incoming to Waiting on the Security-Team board.Mar 13 2026, 1:59 PM
Rsilvola added a project: SecTeam-Processed.
Rsilvola moved this task from Inbox to Needs discussion / analysis on the Product Safety and Integrity board.Mar 13 2026, 2:11 PM
Aklapper changed the task status from Open to Stalled.Mar 16 2026, 10:29 AM

@Ahecht: Could you please answer the last comment? Thanks in advance!

Ahecht added a comment.Mar 16 2026, 1:46 PM

Sorry. The script appears to work (there may be a slowdown, or it could be my imagination), it just clogs up the console.

sbassett closed this task as Resolved.Mar 16 2026, 2:29 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.
sbassett moved this task from Backlog to Done on the ContentSecurityPolicy board.
Aklapper renamed this task from Loading scripts or stylesheets from https://tools-static.wmflabs.org/cdnjs/ generates CSP error to Loading scripts or stylesheets from https://tools-static.wmflabs.org/cdnjs/ generates CSP warning.Mar 16 2026, 3:23 PM
Aklapper changed the task status from Resolved to Invalid.
Aklapper removed sbassett as the assignee of this task.
Aklapper added a subscriber: sbassett.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits