Page MenuHomeMiraheze
Create Task
Maniphest T4944

CSP whitelist openagenda.com
Closed, DeclinedPublic
Actions

Description

Wiki URLhttps://zw.fontainebleau-avon.fr

I am trying to add an OpenAgenda iframe on my wiki. Here is an help page in French you might be able to retrieve in English (I cannot as I am always redirected to the French one) : https://openagenda.zendesk.com/hc/fr/articles/212801065-Widget-d-aper%C3%A7u

I have created a widget here https://zw.fontainebleau-avon.fr/wiki/Widget:OpenAgenda that I call on the Homepage {{#widget:OpenAgenda}}

I do see the frame on the Homepage (which is above the maps) but it does not display the inside that should be : https://openagenda.com/agendas/25554071/embeds/56281713/events?lang=fr

Below is a part of the chat between RhinosF1 and me on IRC on November 30th, 2019 :

<RhinosF1> Does anything show in the developer console?
<Kevin77300> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://openagenda.com/js/embed/cibulBodyWidget.js (« default-src »).
<Kevin77300> Which can be translated into : the parameters of the page prevented to load a resource in http://...
<RhinosF1> Kevin77300: looks like it's (intentionally) been blocked. You'll need to request a CSP exemption on Phabricator
<RhinosF1> Or get it whitelisting

Another solution would be adding the <div> only and not the iframe, but I'm not good enough to troubleshoot this.

Can you help me on this topic ?

Related Objects
Search...

Event Timeline

Kevain created this task.Nov 30 2019, 14:47
Herald added subscribers: Examknow, CnocBride, Zppix and 3 others. · View Herald TranscriptNov 30 2019, 14:47
Kevain added a comment.EditedNov 30 2019, 14:51

Below is the <div> displayed here that would work for me : https://openagenda.zendesk.com/hc/fr/articles/212801065-Widget-d-aper%C3%A7u

<div class="oa-preview cbpgpr" data-oapr data-cbctl="25554071|fr"> 
<a href="https://openagenda.com/agendas/25554071">Voir l'agenda</a> 
</div><script src="//openagenda.com/js/embed/oaPreviewWidget.js"></script>

The thing is that I don't know how to embed this anyway

LakesideMiners subscribed.Dec 4 2019, 16:08
This comment was removed by LakesideMiners.
Reception123 added a subscriber: Paladox.Dec 5 2019, 17:28

@Paladox thoughts?

Zppix added a comment.Dec 5 2019, 21:59

In my personal opinion before we whitelist any domain that is not operated by a well known entity to use iframes we should have a security review.

Kevain added a comment.Dec 14 2019, 19:04

@LakesideMiners : To answer your question, yes MobileFrontend Extension is being used.

@Zppix : Is there a chance to display information in a different way than iframes ?

Reception123 renamed this task from Whitelist openagenda.com to CSP whitelist openagenda.com.Jan 11 2020, 09:13
Reception123 edited projects, added Site Reliability Engineering; removed Configuration.
Reception123 added a parent task: T5092: Create a CSP whitelist policy.
Reception123 added a comment.Apr 2 2020, 10:39

Sorry for the delay in responding. Is this still needed?

Reception123 closed this task as Declined.Apr 8 2020, 18:10
Reception123 claimed this task.

No response in a week (and no recent wiki activity). Again, I am really sorry that this request was not looked at before, and we are working on a way to improve response times on Phabricator. Please reopen this task if this is indeed still needed.