Page MenuHomePhabricator
Create Task
Maniphest T420291

iNaturalist2Commons user script can't load image thumbnails from iNaturalist any more due to Content Security Policy
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:

Dialog box pops up with all broken images.

What should have happened instead?:

It should load the thumbnail images from iNaturalist.

An example image URL for a thumbnail:
https://inaturalist-open-data.s3.amazonaws.com/photos/625336605/square.jpg

Example HTML loaded by the script:

<img data-photo-id="625336605" src="https://inaturalist-open-data.s3.amazonaws.com/photos/625336605/square.jpg" height="75" width="75">

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Allow-list some additional domains to the currently enforcing CSPoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Nosferattus created this task.Mar 17 2026, 12:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 17 2026, 12:01 AM
Nosferattus updated the task description. (Show Details)Mar 17 2026, 12:02 AM
RhinosF1 added a parent task: T419265: CSP adjustments related to the 2026 user javascript incident.Mar 17 2026, 7:40 AM
Restricted Application added a subscriber: RhinosF1. · View Herald TranscriptMar 17 2026, 7:40 AM
sbassett added a comment.Mar 17 2026, 5:10 PM

@Nosferattus - it sounds like allow-listing inaturalist-open-data.s3.amazonaws.com should resolve this issue?

sbassett changed the task status from Open to In Progress.Mar 17 2026, 5:11 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett added a project: Security-Team.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
Nosferattus added a comment.Mar 17 2026, 6:28 PM

@sbassett - I think so. All of iNaturalist's free license images are hosted on Amazon AWS. I'm not 100% sure they all use inaturalist-open-data.s3.amazonaws.com, but that seems to be the case from my spot checks. We can try just adding that to the allow-list and then follow-up if necessary.

Catrope moved this task from Backlog to Q3 on the 2026-user-javascript-incident board.Mar 18 2026, 4:33 PM
MLechvien-WMF added a project: Sustainability (Incident Followup).Mar 19 2026, 11:43 AM
gerritbot added a comment.Mar 20 2026, 9:18 PM

Change #1255066 had a related patch set uploaded (by SBassett; author: Sportzpikachu):

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1255066

gerritbot added a project: Patch-For-Review.Mar 20 2026, 9:18 PM
gerritbot added a comment.Mar 23 2026, 6:22 PM

Change #1255066 merged by Ssingh:

[operations/puppet@production] Allow-list some additional domains to the currently enforcing CSP

https://gerrit.wikimedia.org/r/1255066

Maintenance_bot removed a project: Patch-For-Review.Mar 23 2026, 6:30 PM
sbassett closed this task as Resolved.Mar 23 2026, 7:01 PM
sbassett moved this task from Inbox to Done (waiting deployment) on the Product Safety and Integrity board.
sbassett added a project: SecTeam-Processed.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits