Page MenuHomeMiraheze

Content Security Policy Violation: Extension:AddThis
Closed, ResolvedPublic


During unrelated testing, A CSP Violation was discovered on,

addthis_widget.js:2 Refused to load the script '' because it violates the following Content Security Policy directive: "default-src 'self' blob: data:  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 'unsafe-inline' 'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback

I believe this to be connected to Extension:AddThis, I was logged out at the time (despite being globally logged in but that's another issue.

Event Timeline

Extension disabled on TestWiki but no other action taken globally as of now as CSP seems to work.

John lowered the priority of this task from High to Normal.Nov 17 2019, 12:16
John changed the visibility from "Custom Policy" to "Public (No Login Required)".
John changed the edit policy from "Custom Policy" to "All Users".
John edited projects, added Technology-Team; removed acl*security.

Per Staff IRC, This needs discussion among Technology-Team to determine whether to
a) Turn off the cause (either the extension or feature leading to the CSP Violation if possible)
b) Add this to the CSP whitelist

As leaving a CSP Violation showing in consoles isn’t good practice

This is fine from me, but needs a second per to approve per policy