Page MenuHomePhabricator
Create Task
Maniphest T420146

Content Security Policy now breaks use of iNaturalist API on Commons
Closed, ResolvedPublicBUG REPORT
Actions

Description

I imagine this is due to the recent security breach on Meta, but whatever changes were made to the Content Security Policy seem to have broken communication between Commons and iNaturalist. This means it is no longer possible to use the iNaturalist2Commons tool, which is frequently used there. (It's been used to import 190,918 files over the past 7 years).

Steps to replicate the issue (include links if applicable):

What happens?:

It gives the error "Error: Loading images failed. If you are using a privacy plug-in like Privacy Badger, you may need to adjust your settings."

In the Javascript console, it gives the following error:
Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://api.inaturalist.org/v1/observations?photo_license=cc0%2Ccc-by%2Ccc-by-sa&quality_grade=research&taxon_id=153516&per_page=84 because it violates the following directive: “default-src 'unsafe-eval' 'unsafe-inline' 'self' data: blob: https://*.wikimedia.org https://*.wikipedia.org https://*.wikinews.org https://*.wiktionary.org https://*.wikibooks.org https://*.wikiversity.org https://*.wikisource.org https://wikisource.org https://*.wikiquote.org https://*.wikidata.org https://*.wikifunctions.org https://*.wikivoyage.org https://*.mediawiki.org https://mediawiki.org https://wikimedia.org https://*.wmflabs.org https://*.wmcloud.org https://*.toolforge.org https://*.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com https://raw.githubusercontent.com https://*.github.com https://code.jquery.com https://cdn.mathjax.org https://use.typekit.net https://fonts.cdnfonts.com https://use.fontawesome.com https://i.ytimg.com https://rsms.me https://doi.org https://localhost https://localhost:* http://localhost:* https://*.google.com https://*.gstatic.com https://*.googleapis.com https://*.translate.yandex.net https://yastatic.net https://ya.ru https://radically.github.io https://cdn.sammdot.ca https://cdn.fontshare.com https://viaf.org https://publicai-proxy.alaexis.workers.dev https://iiif.archive.org https://api.flickr.com https://live.staticflickr.com https://api.anthropic.com https://api.openai.com https://api.publicai.co https://catalogo.pusc.it https://parsifal.urbe.it https://opac.sbn.it https://overpass-api.de https://api.openrouteservice.org https://archive.org https://*.openstreetmap.org https://*.waymarkedtrails.org https://*.thunderforest.com” jquery.js:9940:10

What should have happened instead?:
It should allow communication with the iNaturalist API.

Other information (browser name/version, screenshots, etc.):
Firefox and Chrome tested.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow-list some additional domains to the currently enforcing CSPoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Nosferattus created this task.Mar 15 2026, 5:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 15 2026, 5:28 PM
Nosferattus updated the task description. (Show Details)Mar 15 2026, 5:28 PM
RhinosF1 added a project: 2026-user-javascript-incident.Mar 15 2026, 5:30 PM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptMar 15 2026, 5:30 PM
RhinosF1 added a parent task: T419265: CSP adjustments related to the 2026 user javascript incident.Mar 15 2026, 5:31 PM
RhinosF1 added a project: Product Safety and Integrity.
Nosferattus added a comment.Mar 15 2026, 5:33 PM

Probably we just need to add "https://api.inaturalist.org" to whatever whitelist is being used in that console error.

JJMC89 removed a project: JavaScript.Mar 15 2026, 5:42 PM
Jdlrobson subscribed.Mar 15 2026, 10:20 PM

https://wikilovesinat.netlify.app/ still appears to be working if you need a tool in the mean time.

A_smart_kitten mentioned this in T420162: Headers for some Phab notification emails reference a Herald rule that is currently disabled.Mar 16 2026, 7:37 AM
Nux subscribed.Mar 16 2026, 11:39 AM

This (and other tasks) could be resolved with connect-src: http: which should allow loading JSON just fine. Note that changing default-src will change script-src and in turn script-src-elem which would allow easy loading and executing scripts directly from that domain. So you probably do not want that when you only need to allow downloading JSON. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-elem

FriedrickMILBarbarossa added a project: Commons.Mar 16 2026, 11:54 AM
gerritbot added a comment.Mar 16 2026, 3:53 PM

Change #1251550 had a related patch set uploaded (by SBassett; author: SBassett):

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1251550

gerritbot added a project: Patch-For-Review.Mar 16 2026, 3:53 PM
gerritbot added a comment.Mar 16 2026, 6:22 PM

Change #1251550 merged by BCornwall:

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1251550

neriah closed this task as Resolved.Mar 16 2026, 6:28 PM
neriah assigned this task to sbassett.
Maintenance_bot removed a project: Patch-For-Review.Mar 16 2026, 6:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits