Page MenuHomeMiraheze

Content Security Policy Violation: Extension:AddThis
Open, NormalPublic

Description

During unrelated testing, A CSP Violation was discovered on publictestwiki.com,

addthis_widget.js:2 Refused to load the script 'https://z.moatads.com/addthismoatframe568911941483/moatframe.js' because it violates the following Content Security Policy directive: "default-src 'self' blob: data:  *.miraheze.org *.wikimedia.org *.wikipedia.org *.wikibooks.org *.wiktionary.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikinews.org *.wikivoyage.org *.mediawiki.org mediawiki.org *.wikidata.org wikidata.org *.wmflabs.org *.google.com *.gstatic.com *.addthis.com *.youtube.com *.youtube-nocookie.com maxcdn.bootstrapcdn.com twitter.com *.creativecommons.org images.uncyc.org www.mikrodev.com *.reviservices.com *.twitter.com www.sciencedaily.com *.googleapis.com *.twimg.com discordapp.com *.tile.openstreetmap.org *.freenode.net *.sorcery.net *.fontawesome.com *.a.wmflabs.org nenawiki.org *.cloudytheology.com i.imgur.com na.llnet.sims3store.cdn.ea.com cdn.discordapp.com m.media-amazon.com image.tmdb.org *.miraheze.org 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback

I believe this to be connected to Extension:AddThis, I was logged out at the time (despite being globally logged in but that's another issue.

Event Timeline

Extension disabled on TestWiki but no other action taken globally as of now as CSP seems to work.

John lowered the priority of this task from High to Normal.Nov 17 2019, 12:16
John changed the visibility from "Custom Policy" to "Public (No Login Required)".
John changed the edit policy from "Custom Policy" to "All Users".
John edited projects, added Site Reliability Engineering; removed acl*security.

Not a security issue

Per Staff IRC, This needs discussion among Site Reliability Engineering to determine whether to
a) Turn off the cause (either the extension or feature leading to the CSP Violation if possible)
b) Add this to the CSP whitelist

As leaving a CSP Violation showing in consoles isn’t good practice

Paladox removed a project: Extensions.