[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Lucas_Werkmeister_WMDE added a comment. (Just to be clear – the above changes have been merged, but not deployed yet, so please don’t set any CSP headers yet :) ) TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Bawolff added a comment. So I guess the next question is, where to set the CSP headers. My guess would be in `sub cluster_fe_deliver` of `text-frontend.inc.vcl.erb`, but I'm really not sure if that is the correct place. TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Bawolff Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
gerritbot added a comment. Change 552660 **merged** by jenkins-bot: [wikidata/query/gui@master] Make polestar no longer use inline scripts https://gerrit.wikimedia.org/r/552660 TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
gerritbot added a comment. Change 552656 **merged** by jenkins-bot: [wikidata/query/gui@master] Use CORS instead of jsonp for cross domain requests https://gerrit.wikimedia.org/r/552656 TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
gerritbot added a comment. Change 552652 **merged** by jenkins-bot: [wikidata/query/gui@master] Split initialization JS of embed.html to separate file https://gerrit.wikimedia.org/r/552652 TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
gerritbot added a comment. Change 552660 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff): [wikidata/query/gui@master] Make polestar no longer use inline scripts https://gerrit.wikimedia.org/r/552660 TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Bawolff added a comment. So revised suggested CSP header: For everything except in the polestar directory: default-src 'self' data:; style-src 'unsafe-inline' data: 'self'; img-src data: 'self' upload.wikimedia.org commons.wikimedia.org; media-src data: 'self' upload.wikimedia.org commons.wikimedia.org; script-src 'report-sample' https://query.wikidata.org/js/ blob:; connect-src meta.wikimedia.org/w/api.php www.wikidata.org/w/api.php 'self' query.wikidata.org; object-src 'none'; report-uri https://www.wikidata.org/w/api.php?action=cspreport=none=wdqs For the polestar directory: default-src 'self' data:; style-src 'unsafe-inline' data: 'self'; img-src data: 'self' upload.wikimedia.org commons.wikimedia.org; media-src data: 'self' upload.wikimedia.org commons.wikimedia.org; script-src 'report-sample' https://query.wikidata.org/polestar/scripts/ 'unsafe-eval'; object-src 'none'; sandbox allow-scripts; report-uri https://www.wikidata.org/w/api.php?action=cspreport=none=wdqs-polestar This will cause the bookmark feature of polestar to be disabled (Is that acceptable?). It will also break the import data option, but that doesn't look like it works anyways, and isn't shown in the normal workflow. TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Bawolff Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Bawolff added a comment. Polestar also has a button to load datasets from http://ec2-52-1-38-182.compute-1.amazonaws.com:8753 - which seems a bit suspect from a privacy policy perspective... TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Bawolff Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
gerritbot added a comment. Change 552656 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff): [wikidata/query/gui@master] Use CORS instead of jsonp for cross domain requests https://gerrit.wikimedia.org/r/552656 TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, Hook696, Daryl-TTMG, RomaAmorRoma, 0010318400, E.S.A-Sheild, darthmon_wmde, Meekrab2012, joker88john, DannyS712, CucyNoiD, Nandana, NebulousIris, Gaboe420, Versusxo, Majesticalreaper22, Giuliamocci, Adrian1985, Cpaulf30, Lahi, Gq86, Af420, Darkminds3113, Bsandipan, Lordiis, GoranSMilovanovic, Adik2382, Th3d3v1ls, Ramalepe, Liugev6, QZanden, EBjune, merbst, LawExplorer, Salgo60, WSH1906, Lewizho99, Maathavan, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
gerritbot added a comment. Change 552652 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff): [wikidata/query/gui@master] Split initialization JS of embed.html to separate file https://gerrit.wikimedia.org/r/552652 TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: gerritbot Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Bawolff added a comment. So if I was ignoring polestar (aka graph builder mode) the ideal CSP would be something like: default-src 'self' data:; style-src 'unsafe-inline' data: 'self'; img-src data: 'self' upload.wikimedia.org commons.wikimedia.org; media-src data: 'self' upload.wikimedia.org commons.wikimedia.org; script-src 'report-sample' https://query.wikidata.org/js/ blob:; connect-src meta.wikimedia.org www.wikidata.org 'self'; object-src 'none'; report-uri https://www.wikidata.org/w/api.php?action=cspreport=none TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Bawolff Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Bawolff added a comment. So investigating this a bit further: - embed.html would ideally have its script in a separate file - Move the current usages of JSONP with www.wikidata.org to CORS - polestar uses angular, from what I understand, angular can be used to bypass CSP TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Bawolff Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
[Wikidata-bugs] [Maniphest] [Commented On] T238618: Adopt a CSP policy for query.wikidata.org
Lucas_Werkmeister_WMDE added a comment. Yeah, that should be possible – I //think// we only load scripts from query.wikidata.org itself (plus a handful of inline ones that could be converted), not from any other domains. TASK DETAIL https://phabricator.wikimedia.org/T238618 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucas_Werkmeister_WMDE Cc: Lucas_Werkmeister_WMDE, Aklapper, Bawolff, darthmon_wmde, DannyS712, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, EBjune, merbst, LawExplorer, Salgo60, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Smalyshev, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Lydia_Pintscher, Mbch331 ___ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
