Hello Analytics!
Recently, it seems browsers started throwing warnings when attempting to
load resources via XHR, unless they are whitelisted with a meta tag (I
think is how it works).
So for instance, in the JavaScript console,
https://tools.wmflabs.org/pageviews now throws the warning:
[Report Only] Refused to connect to '
https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedi…
because it violates the following Content Security Policy directive:
"default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data:
filesystem:
mediastream: *.wikibooks.org *.wikidata.org *.wikimedia.org *.wikinews.org
*.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.
wikivoyage.org *.wiktionary.org *.wmflabs.org
wikimediafoundation.org *.
mediawiki.org ". Note that 'connect-src' was not explicitly set, so
'default-src' is used as a fallback.
This is not an issue with the Pageviews API, specifically, but it appears
many of the tools using it are affected (Treeviews
<https://tools.wmflabs.org/glamtools/treeviews/>, Wikistats
<https://tools.wmflabs.org/wikistats/>, etc.). So I was hoping you kind
folks would know of a solution?
I've been trying to go by
https://developers.google.com/web/fundamentals/security/csp/ for clues. I
think we need something similar to:
<meta http-equiv="Content-Security-Policy" content="connect-src
'self'
wikimedia.org;">
But this does not do the trick.
Any ideas?
Many thanks,
~Leon