[Wikidata-bugs] [Maniphest] T323451: QueryBuilder: Download fails because of Content Security Policy

Tue, 22 Nov 2022 00:26:37 -0800 

Puikstekend added a comment.


  Thanks for the reply Lydia! Looks like this issue stems from the Content 
Security Policy set by the WikiData Query Builder server. I narrowed the issue 
down to a CSP restriction on the iframe sandbox. It tries to download a 
resource at //blob:https://query.wikidata.org/xxx //, but this violates the CSP 
//default-src self;// and //connect-src 'self' https://www.wikidata.org 
https://meta.wikimedia.org; // directives because the scheme does not match any 
of the listed sources. (when going directly to the 
https://query.wikidata.org/embed.html page, I also didn't get this issue, 
because there is no longer an iframe that tries to download a blob object).
  
  I'm not exactly sure what is necessary to resolve this issue, but I think 
there are two things to look at first:
  
  - add //blob:https://query.wikidata.org // to the //connect-src// directive 
in the CSP in the http headers (see MDN 
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src>)
  - //allow-downloads// directive on the iframe sandbox (see MDN 
<https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox>)
  
  Note that Google's CSP evaluator <https://csp-evaluator.withgoogle.com/> 
already lists a high severity finding for this page ('unsafe-inline' allows the 
execution of unsafe in-page scripts and event handlers.)

TASK DETAIL
  https://phabricator.wikimedia.org/T323451

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Puikstekend
Cc: Lydia_Pintscher, Puikstekend, Aklapper, Astuthiodit_1, AWesterinen, 
karapayneWMDE, Invadibot, MPhamWMF, maantietaja, CBogen, ItamarWMDE, Akuckartz, 
Nandana, Namenlos314, Lahi, Gq86, Lucas_Werkmeister_WMDE, GoranSMilovanovic, 
Mahir256, QZanden, EBjune, merbst, LawExplorer, Salgo60, TerraCodes, _jensen, 
rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll, Wikidata-bugs, Jdouglas, aude, 
Tobias1984, Manybubbles, Mbch331

_______________________________________________
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org

Reply via email to