Page MenuHomeMiraheze
Create Task
Maniphest T4914

Content Security Policy Violation: Extension:AddThis
Closed, ResolvedPublic
Actions

Description

During unrelated testing, A CSP Violation was discovered on publictestwiki.com,

addthis_widget.js:2 Refused to load the script 'https://z.moatads.com/addthismoatframe568911941483/moatframe.js' because it violates the following Content Security Policy directive: "default-src 'self' blob: data:  *.miraheze.org *.wikimedia.org *.wikipedia.org *.wikibooks.org *.wiktionary.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikinews.org *.wikivoyage.org *.mediawiki.org mediawiki.org *.wikidata.org wikidata.org *.wmflabs.org *.google.com *.gstatic.com *.addthis.com *.youtube.com *.youtube-nocookie.com maxcdn.bootstrapcdn.com twitter.com *.creativecommons.org images.uncyc.org www.mikrodev.com *.reviservices.com *.twitter.com www.sciencedaily.com *.googleapis.com *.twimg.com discordapp.com *.tile.openstreetmap.org *.freenode.net *.sorcery.net *.fontawesome.com *.a.wmflabs.org nenawiki.org *.cloudytheology.com i.imgur.com na.llnet.sims3store.cdn.ea.com cdn.discordapp.com m.media-amazon.com image.tmdb.org *.miraheze.org 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback

I believe this to be connected to Extension:AddThis, I was logged out at the time (despite being globally logged in but that's another issue.

Related Objects
Search...

Event Timeline

RhinosF1 created this task.Nov 17 2019, 11:21
Herald added a subscriber: Reception123. · View Herald TranscriptNov 17 2019, 11:21
RhinosF1 added a comment.Nov 17 2019, 11:22

Extension disabled on TestWiki but no other action taken globally as of now as CSP seems to work.

RhinosF1 added a project: Extensions.Nov 17 2019, 11:22
Herald added a subscriber: NDKilla. · View Herald TranscriptNov 17 2019, 11:22
John lowered the priority of this task from High to Normal.Nov 17 2019, 12:16
John changed the visibility from "Custom Policy" to "Public (No Login Required)".
John changed the edit policy from "Custom Policy" to "All Users".
John edited projects, added Site Reliability Engineering; removed acl*security.
Herald added subscribers: Examknow, CnocBride, Void. · View Herald TranscriptNov 17 2019, 12:16
John subscribed.Nov 17 2019, 12:16

Not a security issue

RhinosF1 added a comment.Nov 17 2019, 15:35

Per Staff IRC, This needs discussion among Site Reliability Engineering to determine whether to
a) Turn off the cause (either the extension or feature leading to the CSP Violation if possible)
b) Add this to the CSP whitelist

As leaving a CSP Violation showing in consoles isn’t good practice

Reception123 added a parent task: T5092: Create a CSP whitelist policy.Jan 11 2020, 09:01
Paladox moved this task from Backlog to Deployed Extension Bugs on the Extensions board.Apr 9 2020, 01:26
Paladox removed a project: Extensions.
John moved this task from Radar to Discussion on the Site Reliability Engineering board.Apr 13 2020, 14:12
Reception123 mentioned this in T5630: kkutuwiki is violating the CSP.May 21 2020, 15:09
John added a comment.Oct 1 2020, 20:47

This is fine from me, but needs a second per to approve per policy

Reception123 closed this task as Resolved.Oct 3 2020, 14:42
Reception123 claimed this task.

Added.

Restricted Repository Identity mentioned this in rPUPC45710bcfda8f: add z.moatads.com to CSP.Oct 3 2020, 14:42