Page MenuHomePhabricator
Create Task
Maniphest T419934

Allow gadgets to define own CSP allowlist entries
Open, Needs TriagePublicFeature
Actions

Description

T419265: CSP adjustments related to the 2026 user javascript incident added a number of domains to CSP allowlist. However:

  • It is not scalable: if we add 1000 domains we need ~30-100 KB in each web request.
  • Most of domains have very niche use, only used in some certain gadget/site/page
  • Many of entries may be over broad (allowing entire jsdelivr effectively allow any js from npm be loaded)
  • Managing it needs to modify Wikimedia Puppet configuration
  • This does not prevent non-WMF resource be loaded in site default JSes (e.g. common.js) or default gadgets - which is a privacy concern.

So it should be better to tie CSP allowlist entries to specific gadgets. When a page is loaded we find all gadget used and combine their CSP with $wgCSPHeader, and send it after deduplication.

  • A gadget may dynamically load other gadgets, and this can not change CSP already applied. So CSP should be defined in a "master" gadget that is directly served.
  • Of course other than gadgets there are also other user scripts. Solutions of that may be: (1) turn that into gadget (T419692, T36958); (2) create a empty gadget to populate the CSP records; (3) allow user to add individual allowlist domains (T208188).

Related Objects

Event Timeline

Bugreporter created this task.Fri, Mar 13, 6:42 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFri, Mar 13, 6:42 AM
Bugreporter updated the task description. (Show Details)Fri, Mar 13, 6:42 AM
Escargot_rouge subscribed.Fri, Mar 13, 6:45 AM
Bugreporter updated the task description. (Show Details)Fri, Mar 13, 6:46 AM
Bugreporter updated the task description. (Show Details)Fri, Mar 13, 6:55 AM
Nirmos subscribed.Fri, Mar 13, 7:05 AM
TehKittyCat subscribed.Fri, Mar 13, 8:28 AM
Johannnes89 subscribed.Fri, Mar 13, 9:17 AM
A_smart_kitten subscribed.Fri, Mar 13, 2:02 PM
Nux subscribed.Sat, Mar 14, 1:45 AM

How about official haproxy on toolforge that would allow adding new rules? Seems like e.g. T419232: CSP blocks access to iiif.archive.org; breaks script for pulling high-resolution scans from archive.org (for use at Wikisource) would be better implemented via proxy (the user insisted only specific .json call should be possible).

Bugreporter mentioned this in T419265: CSP adjustments related to the 2026 user javascript incident.Sat, Mar 14, 2:28 AM
SD0001 mentioned this in T36958: User-level gadgets (aka "Gadgets 3.0").Sat, Mar 14, 5:32 AM
Aklapper changed the subtype of this task from "Task" to "Feature Request".Sat, Mar 14, 1:31 PM
KockaAdmiralac subscribed.Sat, Apr 4, 3:09 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits