Hello Analytics! Recently, it seems browsers started throwing warnings when attempting to load resources via XHR, unless they are whitelisted with a meta tag (I think is how it works).
So for instance, in the JavaScript console, https://tools.wmflabs.org/pageviews now throws the warning: [Report Only] Refused to connect to ' https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Cat/daily/2018020100/2018022800' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: filesystem: mediastream: *.wikibooks.org *.wikidata.org *.wikimedia.org *.wikinews.org *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org *. wikivoyage.org *.wiktionary.org *.wmflabs.org wikimediafoundation.org *. mediawiki.org ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback. This is not an issue with the Pageviews API, specifically, but it appears many of the tools using it are affected (Treeviews <https://tools.wmflabs.org/glamtools/treeviews/>, Wikistats <https://tools.wmflabs.org/wikistats/>, etc.). So I was hoping you kind folks would know of a solution? I've been trying to go by https://developers.google.com/web/fundamentals/security/csp/ for clues. I think we need something similar to: <meta http-equiv="Content-Security-Policy" content="connect-src 'self' wikimedia.org;"> But this does not do the trick. Any ideas? Many thanks, ~Leon
_______________________________________________ Analytics mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/analytics
