Puikstekend added a comment.
Thanks for the reply Lydia! Looks like this issue stems from the Content Security Policy set by the WikiData Query Builder server. I narrowed the issue down to a CSP restriction on the iframe sandbox. It tries to download a resource at //blob:https://query.wikidata.org/xxx //, but this violates the CSP //default-src self;// and //connect-src 'self' https://www.wikidata.org https://meta.wikimedia.org; // directives because the scheme does not match any of the listed sources. (when going directly to the https://query.wikidata.org/embed.html page, I also didn't get this issue, because there is no longer an iframe that tries to download a blob object). I'm not exactly sure what is necessary to resolve this issue, but I think there are two things to look at first: - add //blob:https://query.wikidata.org // to the //connect-src// directive in the CSP in the http headers (see MDN <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src>) - //allow-downloads// directive on the iframe sandbox (see MDN <https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox>) Note that Google's CSP evaluator <https://csp-evaluator.withgoogle.com/> already lists a high severity finding for this page ('unsafe-inline' allows the execution of unsafe in-page scripts and event handlers.) TASK DETAIL https://phabricator.wikimedia.org/T323451 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Puikstekend Cc: Lydia_Pintscher, Puikstekend, Aklapper, Astuthiodit_1, AWesterinen, karapayneWMDE, Invadibot, MPhamWMF, maantietaja, CBogen, ItamarWMDE, Akuckartz, Nandana, Namenlos314, Lahi, Gq86, Lucas_Werkmeister_WMDE, GoranSMilovanovic, Mahir256, QZanden, EBjune, merbst, LawExplorer, Salgo60, TerraCodes, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Mbch331
_______________________________________________ Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org