Awesome, thanks Bryan, and thanks Leon for the report. On Mon, Mar 26, 2018 at 4:20 PM, Bryan Davis <[email protected]> wrote:
> On Mon, Mar 26, 2018 at 12:49 PM, Leon Ziemba <[email protected]> > wrote: > > Hello Analytics! > > > > Recently, it seems browsers started throwing warnings when attempting to > > load resources via XHR, unless they are whitelisted with a meta tag (I > think > > is how it works). > > > > So for instance, in the JavaScript console, > > https://tools.wmflabs.org/pageviews now throws the warning: > > > > [Report Only] Refused to connect to > > 'https://wikimedia.org/api/rest_v1/metrics/pageviews/per- > article/en.wikipedia/all-access/user/Cat/daily/2018020100/2018022800' > > because it violates the following Content Security Policy directive: > > "default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: filesystem: > > mediastream: *.wikibooks.org *.wikidata.org *.wikimedia.org *. > wikinews.org > > *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org > > *.wikivoyage.org *.wiktionary.org *.wmflabs.org wikimediafoundation.org > > *.mediawiki.org ". Note that 'connect-src' was not explicitly set, so > > 'default-src' is used as a fallback. > > > > This is not an issue with the Pageviews API, specifically, but it appears > > many of the tools using it are affected (Treeviews, Wikistats, etc.). So > I > > was hoping you kind folks would know of a solution? > > > > I've been trying to go by > > https://developers.google.com/web/fundamentals/security/csp/ for clues. > I > > think we need something similar to: > > > > <meta http-equiv="Content-Security-Policy" content="connect-src 'self' > > wikimedia.org;"> > > > > But this does not do the trick. > > > > Any ideas? > > The logged error is a warning only. I have been working on setting up > a Content-Security-Policy-Report-Only header and a data collector for > Toolforge (see <https://phabricator.wikimedia.org/T130748>) to > determine the extent of 3rd party data usage. The rule set is > currently "alpha" quality and your report has helped identify a > problem. > > The current Content-Security-Policy-Report-Only header allows > "*.wikimedia.org", but not "wikimedia.org". The meta header in your > code won't help because layered Content-Security-Policy settings can > only become more restrictive. I'll put up a patch to add the bare TLD > and silence this report. > > Bryan > -- > Bryan Davis Wikimedia Foundation <[email protected]> > [[m:User:BDavis_(WMF)]] Manager, Cloud Services Boise, ID USA > irc: bd808 v:415.839.6885 x6855 > > _______________________________________________ > Analytics mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/analytics >
_______________________________________________ Analytics mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/analytics
