Page MenuHomeMiraheze

kkutuwiki is violating the CSP
Closed, ResolvedPublic

Description

They are a number of external resources being loaded on kkutuwiki.

We should whitelist these or help @Hatty163 track them & remove them.

It looks like Skin:Liberty is adding some of them

secure.gravatar.com
*.cloudflare.com

From what I can see the cloudflare ones are trying the inject css for a font from Font Awesome.

The gravatar icons vary quite a bit.

I see a librewiki logo, twitter & facebook logos and probably others attempting to load

Event Timeline

Reception123 triaged this task as Normal priority.EditedMay 21 2020, 15:09
Reception123 removed a project: acl*security.
Reception123 moved this task from Radar to Discussion on the Site Reliability Engineering board.

Per T4914#93370 it isn't a "violation", it is simply the fact that the CSP is not letting the resources to load.

A decision must be made regarding if the two sites should be added to the whitelist.

The question to the requester is whether these two sites are essential to the running of their wiki.

The use of font awesome via the cloudlfare CDN we have been told is not needed.

The gravatar icons I am told are essential but getting info from gravatar requires sending the user email and returning a profile pic so I’m not happy about the privacy side.

Reception123 changed the visibility from "Public (No Login Required)" to "Custom Policy".May 21 2020, 15:42
Reception123 added a project: acl*security.

Moving back to Security because better to be safe than sorry, there is a potential leak of user data so it's better to be on the safe side and keep it private for the time being IMHO. If someone feels this is not necessary feel free to move back to public.

made private as Gravtar may have caused a leak of the users email on https://github.com/librewiki/liberty-skin/blob/7831b735c1a85eda8b0053a3db242460ac38237c/LibertyTemplate.php#L197 - We’re still looking at how bad.

from @Hatty163: Update: If we disable LibertyUseGravatar, the profile icon doesn't show up (where it has dropdown menus for reaching configurations) - so we will probably need to replace https://github.com/librewiki/liberty-skin/blob/7831b735c1a85eda8b0053a3db242460ac38237c/LibertyTemplate.php#L217 this to a FA icon or something else.

Update: https://github.com/librewiki/liberty-skin/blob/7831b735c1a85eda8b0053a3db242460ac38237c/LibertyTemplate.php#L643 This backlink isn't needed since there's literally no problem removing the backlink

+ Font Awesome implemention needed

Update: Found out that the Facebook, Twitter button is just a share button. It doesn't need additional configuration.

Reception123 raised the priority of this task from Normal to High.May 21 2020, 16:40

Skin was enabled at May 25, 2018. CSP enabled in late August 2018.

Update: Also getting some CSP errors from loading web fonts from

cdn.jsdelivr.net

Update: Also getting some CSP errors from loading web fonts from

cdn.jsdelivr.net

We’ve focused on gravatar at the moment as we don’t believe the others pose any risk.

Paladox claimed this task.
Paladox changed the visibility from "Custom Policy" to "Public (No Login Required)".May 24 2020, 14:35