Page MenuHomeMiraheze
Create Task
Maniphest T7979

CSP is blocking some extensions from functioning.
Closed, ResolvedPublic
Actions

Description

Description

CSP is currently blocking some extensions from functioning correctly. So far the ones identified are:

  • Extension:CSS
Content Security Policy: The page’s settings blocked the loading of a resource at data:text/css;charset=UTF-8;base64,LnJlZ… (“style-src”).`
  • Extension:YouTube
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.youtube-nocookie.com/embed/pSsYTj9kCHE (“frame-src”).
  • Extension:EmbedVideo (YouTube and Twitch service, have not tested other services)
    • YouTube On Page Load
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.youtube-nocookie.com/oembed?url=https://www.youtube.com/watch?v=uvIHJ5-WLRI (“default-src”).
  • YouTube On Click
Content Security Policy: The page’s settings blocked the loading of a resource at https://www.youtube-nocookie.com/embed/uvIHJ5-WLRI (“frame-src”).
  • Twitch On Click
Content Security Policy: The page’s settings blocked the loading of a resource at https://player.twitch.tv/?channel=twitchvod&parent=tot.wiki (“frame-src”).
  • Extension:TwitterTag
Content Security Policy: The page’s settings blocked the loading of a resource at https://platform.twitter.com/widgets/widget_iframe.f88235f49a156f8b4cab34c7bc1a0acc.html?origin=https%3A%2F%2Ftot.wiki (“frame-src”).

Steps to Reproduce

  1. Edit a page to use the listed extensions' parser hooks/tag.
  2. Save page.
  3. Verify extension is not functioning. In addition, Console will show the CSP errors during page load.

Other Comments

Event Timeline

Elaeagnifolia created this task.Sep 4 2021, 21:13
Herald added subscribers: Unknown Object (User), RhinosF1. · View Herald TranscriptSep 4 2021, 21:13
RhinosF1 added projects: MediaWiki (SRE), Configuration.Sep 4 2021, 21:27
RhinosF1 added a subscriber: John.

@John just deployed a new method to make it more safer by limiting domains to what they need rather than all access.

Herald added a project: Universal Omega. · View Herald TranscriptSep 4 2021, 21:27
Herald added subscribers: Reception123, NDKilla. · View Herald Transcript
RhinosF1 triaged this task as High priority.Sep 4 2021, 21:28

It will be investigated

Lakelimbo subscribed.Sep 4 2021, 21:29

Also, the JSDelivr's CDN is incorrectly listed as cdn.jsdelivr.com instead of .net.

Elaeagnifolia updated the task description. (Show Details)Sep 4 2021, 21:35
Elaeagnifolia added a comment.Sep 4 2021, 21:43

I clarified my last comment that it seems the CSP is blocking something that's running on all Wikis. I've included Miraheze Meta Main Page as an example.

In addition, this also seems to be blocking Extension:YouTube from functioning as well. I will update the task.

Elaeagnifolia renamed this task from CSP is blocking CSS extension from functioning. to CSP is blocking some extensions from functioning..Sep 4 2021, 21:50
Elaeagnifolia updated the task description. (Show Details)
G0UTY subscribed.Sep 4 2021, 21:51

Glad I wasn't the only one, for me visual editor just doesn't want to load at all because of it.

Elaeagnifolia updated the task description. (Show Details)Sep 4 2021, 21:54
Unknown Object (User) raised the priority of this task from High to Unbreak Now!.Sep 4 2021, 21:57

This is effecting alot of stuff. Raising to UBN.

Unknown Object (User) added a comment.Sep 4 2021, 22:06
In T7979#160818, @Lakelimbo wrote:

Also, the JSDelivr's CDN is incorrectly listed as cdn.jsdelivr.com instead of .net.

https://github.com/miraheze/puppet/pull/1946 to fix jsdelivr but it seems no one in infrastructure is currently available to deploy.

Unknown Object (User) added a comment.Sep 4 2021, 22:22

Some of the issues should now be fixed, do you mind verifying and letting us know of any remaining issues?

Elaeagnifolia updated the task description. (Show Details)Sep 4 2021, 22:29

I've removed VisualEditor since it seems to load now. Unsure if it was related.

The others are still running into issues from what I can see. I've added Extension:TwitterTag to the list as well as the related console messages for each.

Unknown Object (User) added a comment.Sep 4 2021, 22:45

https://github.com/miraheze/puppet/pull/1947 should fix most of the mentioned ones.

Unknown Object (User) closed this task as Resolved.Sep 4 2021, 23:12
Unknown Object (User) claimed this task.

Please reopen if issues persist after a few more minutes.