Page MenuHomePhabricator
Create Task
Maniphest T419351

Add overpass-api.de (OSM) and api.openrouteservice.org to Wikimedia's CSP allowlist (for en.wikivoyage gadgets)
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:

CSP error is reported when the gadget tries to access the endpoints.

What should have happened instead?:

  • Maptool should be able to query OSM POIs via the overpass API
  • TripPlanner should be able to query openrouteservice to either get list of routes, or optimize order of POIs

Both services are +- free and I assume safe (although in general, probably XSS could happen with some forged data in their databases, in case the returned stuff was not properly sanitized)...

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow-list some additional domains to the currently enforcing CSPoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andree.sk created this task.Mar 8 2026, 8:22 PM
A_smart_kitten renamed this task from overpass-api.de (OSM) and api.openrouteservice.org to Add overpass-api.de (OSM) and api.openrouteservice.org to Wikimedia's CSP allowlist (for en.wikivoyage gadgets).Mar 8 2026, 8:33 PM
A_smart_kitten updated the task description. (Show Details)
Johannnes89 unsubscribed.Mar 8 2026, 8:57 PM
gerritbot added a comment.Mar 9 2026, 4:23 PM

Change #1249348 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1249348

gerritbot added a project: Patch-For-Review.Mar 9 2026, 4:23 PM
Nirmos unsubscribed.Mar 9 2026, 6:31 PM
gerritbot added a comment.Mar 9 2026, 9:43 PM

Change #1249348 merged by Scott French:

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1249348

sbassett added a comment.Mar 9 2026, 10:25 PM

Hey all -

  • overpass-api.de
  • api.openrouteservice.org

should now be allowed within Wikimedia projects CSP.

Maintenance_bot removed a project: Patch-For-Review.Mar 9 2026, 10:30 PM
sbassett closed this task as Resolved.Mar 10 2026, 8:00 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Backlog to Done on the ContentSecurityPolicy board.
sbassett moved this task from Inbox to Done (waiting deployment) on the Product Safety and Integrity board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits