Page MenuHomePhabricator
Create Task
Maniphest T266684

Special:GraphSandbox broken due to Content Security Policy
Closed, DeclinedPublic
Actions

Description

https://de.wikipedia.org/wiki/Spezial:GraphSandbox is broken. The web console shows CSP violations:

Laden fehlgeschlagen für das <script> mit der Quelle "https://de.wikipedia.org/w/load.php?lang=de&modules=startup&only=scripts&raw=1&skin=vector". Spezial:GraphSandbox:12:1
Einige Cookies verwenden das empfohlene "SameSite"-Attribut inkorrekt. 2
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src"). Spezial:GraphSandbox:6:1
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src"). Spezial:GraphSandbox:9:1
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf https://de.wikipedia.org/w/load.php?lang=de&modules=startup&only=scripts&raw=1&skin=vector blockiert ("script-src").
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf inline blockiert ("script-src"). Spezial:GraphSandbox:217:1
Anfrage für Zugriff auf Cookies oder Speicher für "https://login.wikimedia.org/wiki/Special:CentralAutoLogin/checkLoggedIn?wikiid=dewiki&proto=https&type=1x1" wurde blockiert, weil alle Anfragen für Speicherzugriff für nicht direkt aufgerufene Websites (Drittanbieter) blockiert werden und das Blockieren von Seitenelementen aktiviert ist.

Not logged in, private window, Firefox 82.0

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT266684 Special:GraphSandbox broken due to Content Security Policy
 DuplicateNoneT336242 Roll out Graph re-enable

Event Timeline

MichaelSchoenitzer created this task.Oct 28 2020, 4:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2020, 4:48 PM
Reedy renamed this task from Spezial:GraphSandbox brocken due to Content Security Policy to Special:GraphSandbox broken due to Content Security Policy.Oct 28 2020, 6:19 PM
Reedy added a project: ContentSecurityPolicy.
TheDJ subscribed.Jan 20 2022, 12:01 AM

Is this still a problem ? Is this problem specific to the content attempting to be rendered ?

I currently cannot reproduce.

Aklapper added a comment.Mar 22 2022, 11:14 AM

Not being logged in in Firefox 98 on https://de.wikipedia.org/wiki/Spezial:GraphSandbox , I get:

Content Security Policy: The report URI (about:blank) should be an HTTP or HTTPS URI.

Content Security Policy: The page’s settings observed the loading of a resource at blob:https://de.wikipedia.org/983087ac-4e3f-4f3d-827b-d7e45ec51bf6 (“worker-src”). A CSP report is being sent.

Some cookies are misusing the recommended “SameSite“ attribute

Cookie “dewikiwmE-sessionTickLastTickTime” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite load.php:1270:111
Cookie “dewikiel-sessionId” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite load.php:1270:111
Cookie “dewikiwmE-sessionTickTickCount” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite 2 load.php:1270:111
Cookie “dewikiel-sessionId” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite load.php:1270:111
Cookie “dewikimwuser-sessionId” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite load.php:1270:111
Iniquity moved this task from Backlog to Sandbox on the MediaWiki-extensions-Graph board.Apr 7 2023, 4:08 PM
Jdlrobson moved this task from Sandbox to Vega Update Phase 1 on the MediaWiki-extensions-Graph board.Apr 24 2023, 11:12 PM
Jdlrobson changed the task status from Open to Stalled.Apr 25 2023, 12:04 AM
Jdlrobson moved this task from Vega Update Phase 1 to Vega Update Phase 2 on the MediaWiki-extensions-Graph board.
Jdlrobson subscribed.

I'm unclear if this is still an issue. Let's try to reproduce when we are back online.

Aklapper added a subtask: T336242: Roll out Graph re-enable .Aug 20 2023, 4:10 PM
Rasputin1493 subscribed.Aug 21 2023, 4:15 PM
Aklapper closed this task as Declined.Sep 29 2025, 9:08 AM

The Graph extension is being archived.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits