Awesome, thanks Bryan, and thanks Leon for the report.

On Mon, Mar 26, 2018 at 4:20 PM, Bryan Davis <bd808@wikimedia.org> wrote:
On Mon, Mar 26, 2018 at 12:49 PM, Leon Ziemba <musikanimal@wikimedia.org> wrote:
> Hello Analytics!
>
> Recently, it seems browsers started throwing warnings when attempting to
> load resources via XHR, unless they are whitelisted with a meta tag (I think
> is how it works).
>
> So for instance, in the JavaScript console,
> https://tools.wmflabs.org/pageviews now throws the warning:
>
> [Report Only] Refused to connect to
> 'https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Cat/daily/2018020100/2018022800'
> because it violates the following Content Security Policy directive:
> "default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: filesystem:
> mediastream: *.wikibooks.org *.wikidata.org *.wikimedia.org *.wikinews.org
> *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org
> *.wikivoyage.org *.wiktionary.org *.wmflabs.org wikimediafoundation.org
> *.mediawiki.org ". Note that 'connect-src' was not explicitly set, so
> 'default-src' is used as a fallback.
>
> This is not an issue with the Pageviews API, specifically, but it appears
> many of the tools using it are affected (Treeviews, Wikistats, etc.). So I
> was hoping you kind folks would know of a solution?
>
> I've been trying to go by
> https://developers.google.com/web/fundamentals/security/csp/ for clues. I
> think we need something similar to:
>
> <meta http-equiv="Content-Security-Policy" content="connect-src 'self'
> wikimedia.org;">
>
> But this does not do the trick.
>
> Any ideas?

The logged error is a warning only. I have been working on setting up
a Content-Security-Policy-Report-Only header and a data collector for
Toolforge (see <https://phabricator.wikimedia.org/T130748>) to
determine the extent of 3rd party data usage. The rule set is
currently "alpha" quality and your report has helped identify a
problem.

The current Content-Security-Policy-Report-Only header allows
"*.wikimedia.org", but not "wikimedia.org". The meta header in your
code won't help because layered Content-Security-Policy settings can
only become more restrictive. I'll put up a patch to add the bare TLD
and silence this report.

Bryan
--
Bryan Davis              Wikimedia Foundation    <bd808@wikimedia.org>
[[m:User:BDavis_(WMF)]] Manager, Cloud Services          Boise, ID USA
irc: bd808                                        v:415.839.6885 x6855

_______________________________________________
Analytics mailing list
Analytics@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/analytics