Page MenuHomeMiraheze
Create Task
Maniphest T6730

Custom Access-Control-Allow-Origin
Closed, ResolvedPublic
Actions

Description

Wiki URLhttps://lakehub.miraheze.org/

Context: I'm trying to build an oscilloscope with MP3/OGG files using the Web Audio API.

Problem: CORS policy blocks the media from being played, so the MP3/OGG fails to load. I thought this was initially because the Access-Control-Allow-Origin was set only to the wikis themselves, but even if I upload an audio on my own wiki, CORS policy still blocks it.
I'm testing it on https://rotompedia.miraheze.org/wiki/User:Lakelimbo/test for now.

The apparent solution is to manually set $wgCrossSiteAJAXdomains (https://www.mediawiki.org/wiki/Manual:$wgCrossSiteAJAXdomains):

  • All of Miraheze (and maybe some Wikimedia subdomains?):
$wgCrossSiteAJAXdomains = [
    '*.miraheze.org'
];
  • or allow my Wiki specifically:
$wgCrossSiteAJAXdomains = [
    'lakehub.miraheze.org'
];

If possible, could this be changed? Thanks :)

Related Objects

Event Timeline

Lakelimbo created this task.Jan 16 2021, 01:11
Herald added subscribers: Unknown Object (User), RhinosF1, Void and 2 others. · View Herald TranscriptJan 16 2021, 01:11
Lakelimbo updated the task description. (Show Details)Jan 16 2021, 01:14
Redmin removed a project: MediaWiki.Jan 16 2021, 19:08
Redmin subscribed.

Static does not use MediaWiki. It might be worth tagging this with Puppet as that currently handles the CSP for wikis.

Void added a comment.Jan 17 2021, 01:18

Probably need to update https://github.com/miraheze/puppet/blob/dfc343ed456c95152844024b9f0c53570b172feb/modules/mediawiki/templates/mediawiki.conf.erb#L172
and https://github.com/miraheze/puppet/blob/29f4c3fa989d7bc65bfcd07a04b2330122601df3/modules/varnish/templates/default.vcl#L370

Not sure if the two of those should be synchronized at all, because they aren't right now.

There's also https://github.com/miraheze/puppet/blob/2815534395f49982fc818843e840dca4f38de000/modules/mediawiki/templates/mediawiki-includes.conf.erb#L54, but I'm not sure if that needs to be touched, especially since it doesn't appear to have been updated in a long time.

Reception123 added a project: Site Reliability Engineering.Jan 17 2021, 17:05
Unknown Object (User) moved this task from Radar to Trivial Puppet Change on the Site Reliability Engineering board.Jan 19 2021, 19:23
Unknown Object (User) added a project: Puppet.Jan 21 2021, 16:04
Unknown Object (User) added a subscriber: Southparkfan.

Needs approval from @Southparkfan to whitelist all of static.miraheze.org in CORS policy.

Unknown Object (User) assigned this task to Southparkfan.Jan 23 2021, 06:25

Assigning to @Southparkfan for review per my above comment

Southparkfan reassigned this task from Southparkfan to Unknown Object (User).Jan 23 2021, 15:22
In T6730#132558, @Void wrote:

[...]

There's also https://github.com/miraheze/puppet/blob/2815534395f49982fc818843e840dca4f38de000/modules/mediawiki/templates/mediawiki-includes.conf.erb#L54, but I'm not sure if that needs to be touched, especially since it doesn't appear to have been updated in a long time.

Yes, that's the culprit. https://rotompedia.miraheze.org/wiki/User:Lakelimbo/test wants to load https://static.miraheze.org/rotompediawiki/3/36/Springyard.wav, but that doesn't match the regex .(gif|ico|jpg|jpeg|png|svg)$.

Approved.

Herald added a project: Universal Omega. · View Herald TranscriptJan 23 2021, 15:22
Videojeux4 subscribed.Jan 23 2021, 17:45
Unknown Object (User) added a comment.Jan 26 2021, 09:17

@Southparkfan, just to be clear you are giving the OK to whitelist all of static.miraheze.lrg, or just wav files? If just wav files that may not be 100% sufficient enough for this task, which is why I am asking for further clarification here. Thank you!

Lakelimbo added a comment.Jan 26 2021, 16:47

By the way, I personally will only use audio files (MP3, OGG, WAV, FLAC) for this, as I don't see need for other file types to be used in this way (maybe video files, but I'm not sure about that).

Unknown Object (User) reassigned this task from Unknown Object (User) to Southparkfan.Jan 28 2021, 18:08

Reassign to SPF again just for the clarification I asked for above.

Southparkfan reassigned this task from Southparkfan to Unknown Object (User).Jan 28 2021, 23:34

https://stackoverflow.com/a/56457665: "Access-Control-Allow-Origin: * is totally safe to add to any resource, unless that resource contains private data protected by something other than standard credentials. Standard credentials are cookies, HTTP basic auth, and TLS client certificates."

The only private content to serve off static would be content from private wikis (proxied via img_auth.php), but authentication/authorisation for private content is/will be done through Cookies ('standard credentials'). Someone streaming XML files (non-private) could become a problem, but the risk is low (likelihood: rare, impact: we can change the ACAO header at any time and deploy the change for all users within seconds).

I'd say the wildcard ACAO header for everything on static.miraheze.org is fine.

John edited projects, added Infrastructure (SRE); removed Site Reliability Engineering.Jan 30 2021, 11:45
John moved this task from Incoming to Short Term on the Infrastructure (SRE) board.Jan 30 2021, 12:17
Unknown Object (User) reassigned this task from Unknown Object (User) to Paladox.Feb 11 2021, 20:01
Restricted Repository Identity mentioned this in rPUPC19ecf0c2d788: varnish: Centralise Access-Control-Allow-Origin header (#1663).Feb 25 2021, 19:57
Paladox closed this task as Resolved.Feb 25 2021, 20:09

Error is gone now.

Fixed with https://github.com/miraheze/puppet/commit/19ecf0c2d7888a0f8973efc88a428e85f9c6f126