Lucas_Werkmeister_WMDE added a comment.
(Just to be clear – the above changes have been merged, but not deployed yet,
so please don’t set any CSP headers yet :) )
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emai
Bawolff added a comment.
So I guess the next question is, where to set the CSP headers. My guess would
be in `sub cluster_fe_deliver` of `text-frontend.inc.vcl.erb`, but I'm really
not sure if that is the correct place.
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFERENC
gerritbot added a comment.
Change 552660 **merged** by jenkins-bot:
[wikidata/query/gui@master] Make polestar no longer use inline scripts
https://gerrit.wikimedia.org/r/552660
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFERENCES
https://phabricator.wikimedia.org
gerritbot added a comment.
Change 552656 **merged** by jenkins-bot:
[wikidata/query/gui@master] Use CORS instead of jsonp for cross domain
requests
https://gerrit.wikimedia.org/r/552656
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFERENCES
https://phabricator.wik
gerritbot added a comment.
Change 552652 **merged** by jenkins-bot:
[wikidata/query/gui@master] Split initialization JS of embed.html to separate
file
https://gerrit.wikimedia.org/r/552652
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFERENCES
https://phabricator.
gerritbot added a comment.
Change 552660 had a related patch set uploaded (by Brian Wolff; owner: Brian
Wolff):
[wikidata/query/gui@master] Make polestar no longer use inline scripts
https://gerrit.wikimedia.org/r/552660
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PR
Bawolff added a comment.
So revised suggested CSP header:
For everything except in the polestar directory:
default-src 'self' data:;
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' upload.wi
Bawolff added a comment.
Polestar also has a button to load datasets from
http://ec2-52-1-38-182.compute-1.amazonaws.com:8753 - which seems a bit suspect
from a privacy policy perspective...
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFERENCES
https://phabricator.wiki
gerritbot added a comment.
Change 552656 had a related patch set uploaded (by Brian Wolff; owner: Brian
Wolff):
[wikidata/query/gui@master] Use CORS instead of jsonp for cross domain
requests
https://gerrit.wikimedia.org/r/552656
TASK DETAIL
https://phabricator.wikimedia.org/T238618
gerritbot added a comment.
Change 552652 had a related patch set uploaded (by Brian Wolff; owner: Brian
Wolff):
[wikidata/query/gui@master] Split initialization JS of embed.html to separate
file
https://gerrit.wikimedia.org/r/552652
TASK DETAIL
https://phabricator.wikimedia.org/T238
Bawolff added a comment.
So if I was ignoring polestar (aka graph builder mode) the ideal CSP would be
something like:
default-src 'self' data:;
style-src 'unsafe-inline' data: 'self';
img-src data: 'self' upload.wikimedia.org commons.wikimedia.org;
media-src data: 'self' up
Bawolff added a comment.
So investigating this a bit further:
- embed.html would ideally have its script in a separate file
- Move the current usages of JSONP with www.wikidata.org to CORS
- polestar uses angular, from what I understand, angular can be used to
bypass CSP
TASK DETAIL
Lucas_Werkmeister_WMDE added a comment.
Yeah, that should be possible – I //think// we only load scripts from
query.wikidata.org itself (plus a handful of inline ones that could be
converted), not from any other domains.
TASK DETAIL
https://phabricator.wikimedia.org/T238618
EMAIL PREFEREN
13 matches
Mail list logo