Page MenuHomePhabricator
Create Task
Maniphest T419502

Extensions and some localizations of InPageEdit NEXT are blocked by CSP
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

Load InPageEdit NEXT as recommended on their home page:

// InPageEdit NEXT
document.body.append(
  Object.assign(document.createElement('script'), {
    src: 'https://cdn.jsdelivr.net/npm/@inpageedit/core/dist/index.js',
    type: 'module',
  })
)

What happens?:

Localizations and extensions stopped working. For example, the "quick edit" dialog shows "watchlist.preferences" in place of "follow MediaWiki preferences", and the "plugin store" in "settings" reports that all extensions cannot be loaded.

What should have happened instead?:

They should all load.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

  • MediaWiki: WMF (zhwiki)
  • InPageEdit NEXT: 0.17.0

Other information (browser name/version, screenshots, etc.):

This is clearly a CSP issue, so I am reporting it here instead of upstream.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow-list some additional domains to the currently enforcing CSPoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

1F616EMO created this task.Mar 10 2026, 4:36 AM
Restricted Application added a subscriber: Stang. · View Herald TranscriptMar 10 2026, 4:36 AM
Johannnes89 unsubscribed.Mar 10 2026, 5:57 AM
Aklapper removed subscribers: Stang, dragon-fish, sbassett and 14 others.EditedMar 10 2026, 9:19 AM

[Removing needlessly copied subscribers from the parent task]

Sending your personal information without a warning to third-party cdn.jsdelivr.net looks more like a privacy leak / poor design than a feature to me.

1F616EMO added a subscriber: dragon-fish.Mar 10 2026, 9:20 AM

@dragon-fish, the gadget's maintainer, is intentional here.

sbassett added a comment.Mar 10 2026, 1:23 PM

Hmm, *.jsdelivr.net is currently allow-listed within the enforcing CSP:

https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/refs/heads/production/modules/varnish/templates/text-frontend.inc.vcl.erb#840

Is the CSP actually blocking requests to cdn.jsdelivr.net or are they report-only warnings within the browser?

A_smart_kitten added a comment.Mar 10 2026, 2:07 PM

Loading that script in a private browsing window (ie. logged-out), I get the following CSP-related messages in my console:

Connecting to 'https://registry.ipe.wiki/i18n/index.json' violates the following Content Security Policy directive: [...]
Fetch API cannot load https://registry.ipe.wiki/i18n/index.json. Refused to connect because it violates the document's Content Security Policy.
Connecting to 'https://analytics.ipe.wiki/api/v6/submit' violates the following Content Security Policy directive: [...]

So it seems like it's not jsdelivr itself that's blocked, but some sites the loaded script then seems to call.

Rsilvola added a project: Security-Team.Mar 13 2026, 1:55 PM
Rsilvola moved this task from Incoming to In Progress on the Security-Team board.Mar 13 2026, 1:57 PM
Rsilvola added a project: SecTeam-Processed.Mar 13 2026, 2:00 PM
Rsilvola moved this task from Inbox to Sprint Crocus (Mar 2 - Mar 20) on the Product Safety and Integrity board.Mar 13 2026, 2:16 PM
Rsilvola edited projects, added Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)); removed Product Safety and Integrity.
gerritbot added a comment.Mar 13 2026, 9:14 PM

Change #1251550 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1251550

gerritbot added a project: Patch-For-Review.Mar 13 2026, 9:14 PM
SomeRandomDeveloper subscribed.Mar 13 2026, 10:36 PM
1F616EMO changed the task status from Open to In Progress.Mar 14 2026, 7:35 AM
1F616EMO assigned this task to sbassett.
1F616EMO triaged this task as Low priority.
BucheonCityHall removed sbassett as the assignee of this task.Mar 14 2026, 7:44 AM
BucheonCityHall raised the priority of this task from Low to Unbreak Now!.
BucheonCityHall added subscribers: sbassett, BucheonCityHall.

hahah

BucheonCityHall changed the subtype of this task from "Bug Report" to "Deadline".Mar 14 2026, 7:44 AM

ㅋㅋㅋ

BucheonCityHall closed this task as Resolved.Mar 14 2026, 7:45 AM
BucheonCityHall claimed this task.
BucheonCityHall removed subscribers: sbassett, SomeRandomDeveloper, dragon-fish and 2 others.

Resolved.

1F616EMO reopened this task as In Progress.Mar 14 2026, 7:46 AM
1F616EMO reassigned this task from BucheonCityHall to sbassett.
1F616EMO lowered the priority of this task from Unbreak Now! to Low.
1F616EMO edited subscribers, added: sbassett, SomeRandomDeveloper, dragon-fish and 2 others; removed: BucheonCityHall.
1F616EMO changed the subtype of this task from "Deadline" to "Bug Report".Mar 14 2026, 7:51 AM
Ladsgroup subscribed.Mar 16 2026, 4:37 PM

It would be much better if we simply move the js to https://cdnjs.toolforge.org/ instead?

sbassett added a comment.Mar 16 2026, 6:13 PM
In T419502#11714587, @Ladsgroup wrote:

It would be much better if we simply move the js to https://cdnjs.toolforge.org/ instead?

Ultimately, yes, IMO.

gerritbot added a comment.Mar 16 2026, 6:22 PM

Change #1251550 merged by BCornwall:

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1251550

Maintenance_bot removed a project: Patch-For-Review.Mar 16 2026, 6:33 PM
sbassett added a comment.Tue, Mar 17, 5:09 PM

@1F616EMO Can we call this task resolved for now, given that the ipe.wiki domains are now allow-listed in Wikimedia production? If there are any additional issues that surface, we can re-open this task.

Catrope moved this task from Backlog to Q3 on the 2026-user-javascript-incident board.Wed, Mar 18, 4:32 PM
MLechvien-WMF added a project: Sustainability (Incident Followup).Thu, Mar 19, 11:43 AM
sbassett closed this task as Resolved.Thu, Mar 19, 3:26 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.

I'm going to resolve this task for now. If any additional issues come up, please feel free to re-open.

sbassett moved this task from Backlog to Done on the ContentSecurityPolicy board.Thu, Mar 19, 3:26 PM
hector.arroyo moved this task from Backlog to Done on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Fri, Mar 20, 9:39 AM
1F616EMO awarded a token.Fri, Mar 20, 10:37 AM
A_smart_kitten mentioned this in T421033: Request for CSP allowance for usage on Chinese Wikipedia.Tue, Mar 24, 10:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits