Page MenuHomeMiraheze
Create Task
Maniphest T4760

Add some sites to frame and CSP whitelist
Closed, ResolvedPublic
Actions

Description

Wiki URLhttps://mcspringfieldserver.miraheze.org

Hello,

I am trying to add a Widget to create iframe,
but external assets not native to Miraheze, the widget will not load the information.

I am using this widget: https://mcspringfieldserver.miraheze.org/wiki/Widget:NetEasy_CloudMusic_iframe

so may I ask to add these websites to the csp and frame whitelist?
https://music.163.com This is a music website in China, sometimes we need use the resources on it;
https://*.bilibili.com This is a video website in China, we have some videos in it and sometimes we need invoke those videos.

To my knowledge, this should present no security issues.

Sorry bad English,

Thank you in advance.

Related Objects
Search...

Event Timeline

Aunst created this task.Oct 2 2019, 13:40
Herald added subscribers: RhinosF1, CnocBride, Zppix and 3 others. · View Herald TranscriptOct 2 2019, 13:40
RhinosF1 added a parent task: T4612: Add some extensions on "mcspringfieldserver.miraheze.org".Oct 10 2019, 21:27
Reception123 added a subscriber: Paladox.Nov 30 2019, 06:45

@Paladox

Herald edited subscribers, added: Examknow; removed: RhinosF1. · View Herald TranscriptNov 30 2019, 06:45
Reception123 added a parent task: T5092: Create a CSP whitelist policy.Jan 11 2020, 09:11
Reception123 added a comment.Apr 2 2020, 10:39

Sorry for the delay in answering this. Is this still needed?

Aunst added a comment.Apr 7 2020, 08:53
In T4760#101862, @Reception123 wrote:

Sorry for the delay in answering this. Is this still needed?

Yes, I still need this.

Restricted Repository Identity mentioned this in rPUPCa0ad7c5b0dbc: T4760: add music.163.com & bilibili.com to CSP (#1323).Apr 9 2020, 00:26
Zppix closed this task as Resolved.Apr 9 2020, 00:26
Zppix claimed this task.

the sites requested have now been whitelisted, once again we are sorry for the delay in responding

Aunst added a comment.EditedApr 11 2020, 14:32

Annotation 2020-04-11 23.16.23.png (20×911 px, 886 B)

Sorry, but there has a problem in whitelist, the domain of music.163.com should be music.163.com instead of *.music.163.com

Aunst reopened this task as Open.Apr 12 2020, 00:31
Aunst lowered the priority of this task from Normal to Low.
Zppix closed this task as Resolved.Apr 12 2020, 02:04
In T4760#102869, @Aunst wrote:

Annotation 2020-04-11 23.16.23.png (20×911 px, 886 B)

Sorry, but there has a problem in whitelist, the domain of music.163.com should be music.163.com instead of *.music.163.com

*.music.163.com will cover the entire domain including what you need.

Aunst added a comment.EditedApr 12 2020, 02:23
In T4760#102933, @Zppix wrote:
In T4760#102869, @Aunst wrote:

Annotation 2020-04-11 23.16.23.png (20×911 px, 886 B)

Sorry, but there has a problem in whitelist, the domain of music.163.com should be music.163.com instead of *.music.163.com

*.music.163.com will cover the entire domain including what you need.

But in my browser (Mozilla Firefox 75.0) , the console said

Content Security Policy: The page's settings blocked the loading of a resource at https://music.163.com/outchain/player?type=2&id=23826376&auto=0&height=66 ("default-src").
(https://mcspringfieldserver.miraheze.org/wiki/User:Aunst)

I think the whitelist should be *.163.com or music.163.com.

Aunst reopened this task as Open.Apr 12 2020, 02:24
Restricted Repository Identity mentioned this in rPUPC519927b16ec6: change *.music.163.com -> *.163.com for T4760 (#1333).Apr 12 2020, 16:56
Zppix closed this task as Resolved.Apr 12 2020, 18:33

changed